Hash Generator

Generate MD5, SHA1, SHA256, and other hash values for text strings and verify data integrity.

Text Input

Enter text to hash

MD5

128-bit hash function

Enter text to generate hash

SHA-1

160-bit hash function

Enter text to generate hash

SHA-256

256-bit hash function

Enter text to generate hash

SHA-512

512-bit hash function

Enter text to generate hash

Complete Guide to Hash Functions

Everything you need to know about MD5, SHA-256, SHA-512, HMAC, and how to use cryptographic hashes in real projects.

Understanding Hash Functions

What Hash Functions Do

‣A hash function takes any input (text, file, password) and produces a fixed-length output called a digest or hash
‣Deterministic: same input always produces the same hash — no randomness
‣One-way: you cannot recover the original input from the hash (computationally infeasible)
‣Avalanche effect: changing even 1 bit of input changes ~50% of the output bits
‣Collision resistance: it should be computationally infeasible to find two different inputs with the same hash
‣Hash output size: MD5=128 bits (32 hex chars), SHA-1=160 bits (40 hex), SHA-256=256 bits (64 hex), SHA-512=512 bits (128 hex)
‣Encoding formats: hexadecimal (0-9, a-f), Base64 (A-Z, a-z, 0-9, +, /), or raw bytes
‣All processing in this tool uses the Web Crypto API — your data never leaves your browser

Common Hash Algorithms

‣MD5 (128-bit): fast, widely used — but cryptographically broken; still safe for checksums and non-security uses
‣SHA-1 (160-bit): deprecated for security — broken in 2017; still used in Git commit IDs and legacy systems
‣SHA-256 (256-bit): the current standard for most security applications; used in Bitcoin, TLS certificates, code signing
‣SHA-384 (384-bit): used in TLS 1.2/1.3 cipher suites requiring 384-bit strength
‣SHA-512 (512-bit): maximum SHA-2 strength; used in high-security applications and some Unix password hashing
‣SHA-3 / Keccak: completely different algorithm from SHA-2; used in Ethereum; resistant to length-extension attacks
‣BLAKE2/BLAKE3: modern, faster than SHA-256 with similar security; used in WireGuard, IPFS, Zcash
‣bcrypt/Argon2/PBKDF2: password hashing — deliberately slow; NOT produced by this tool (they require different parameters)

Algorithm Details & Output Formats

Algorithm Comparison Table

▪MD5: 128-bit / 32 hex chars — Speed: very fast — Security: broken — Use: checksums, deduplication
▪SHA-1: 160-bit / 40 hex chars — Speed: fast — Security: broken — Use: Git commit IDs, legacy
▪SHA-256: 256-bit / 64 hex chars — Speed: fast — Security: strong — Use: certificates, code signing, blockchain
▪SHA-384: 384-bit / 96 hex chars — Speed: moderate — Security: very strong — Use: TLS, government
▪SHA-512: 512-bit / 128 hex chars — Speed: moderate — Security: excellent — Use: high-security apps, password stretching
▪CRC32: 32-bit / 8 hex chars — Speed: extremely fast — Security: none (not a hash) — Use: error detection only

Hash Output Formats

▪Hexadecimal (lowercase): `a9993e364706816aba3e25717850c26c` — most common
▪Hexadecimal (uppercase): `A9993E364706816ABA3E25717850C26C` — some APIs require uppercase
▪Base64: `qZk+NkcGgWq6PiVxeFDCbhM=` — 33% shorter than hex, used in HTTP headers and JWT
▪Base64URL: same as Base64 but uses `-` and `_` instead of `+` and `/` — safe for URLs and filenames
▪Binary: raw bytes — used in low-level programming and network protocols
▪Uint8Array: JavaScript typed array — used in Web Crypto API
▪HMAC: keyed hash using SHA-256 or SHA-512 with a secret key — for API signatures

Web Crypto API

▪`crypto.subtle.digest('SHA-256', buffer)` — browser-native async hash
▪No external library needed — available in all modern browsers and Node.js
▪Input: ArrayBuffer (convert string with TextEncoder); Output: ArrayBuffer (convert to hex with Uint8Array)
▪Supported algorithms: SHA-1, SHA-256, SHA-384, SHA-512 (MD5 not supported natively)
▪HMAC: `crypto.subtle.importKey()` then `crypto.subtle.sign('HMAC', key, data)`
▪Performance: ~100–500 MB/s for SHA-256 on modern hardware
▪Use for: password pre-hashing, checksum verification, API request signing

Real-World Applications

File Integrity Verification

‣Download verification: software vendors publish SHA-256 hashes — compare to your downloaded file
‣Software distribution: hash executables before and after deployment to detect tampering
‣Backup verification: hash files before backup, re-hash after restore to confirm identical
‣Git commits: SHA-1 (soon SHA-256) identifies every commit, tree, and blob object
‣Package managers (npm, pip, cargo): lock files contain hashes to prevent supply chain attacks
‣Docker images: layers identified by SHA-256 content hash
‣IPFS: files addressed by their SHA-256 content hash
‣Deduplication: identify duplicate files without comparing byte-by-byte

Security & Authentication

‣Password storage: hash + salt before storing (use bcrypt/Argon2, not raw SHA-256)
‣API authentication: HMAC-SHA256 signs API requests (AWS Signature v4, GitHub webhooks)
‣JWT signature: RS256 or HS256 sign the header+payload
‣Digital certificates: SHA-256 in TLS/SSL certificate fingerprints
‣Code signing: macOS/Windows verify app signatures via SHA-256 hash
‣TOTP (2FA apps): HMAC-SHA1 generates 6-digit one-time codes
‣Content hashing in browsers: Subresource Integrity (SRI) uses SHA-256/384/512 for CDN assets
‣Blockchain: SHA-256 used in Bitcoin proof-of-work mining

Data Engineering & DevOps

‣ETL pipelines: hash input datasets to detect whether data changed since last run
‣Cache invalidation: hash content to generate cache keys (content-addressable storage)
‣Build systems: hashes determine whether source files have changed (Make, Bazel, Gradle)
‣CI/CD: hash artifact files to verify clean builds
‣Database deduplication: hash rows to quickly find exact duplicates
‣Configuration management: hash config files to trigger re-deployment on change
‣Audit logging: hash log entries to prove they haven't been modified
‣Distributed systems: consistent hashing for load balancing across nodes

Development & Testing

‣Generate deterministic test data IDs from input strings
‣Create unique but predictable identifiers for caching
‣Hash environment variables or secrets for comparison without exposing values
‣Verify that serialized data is transmitted without corruption
‣Generate ETag values for HTTP caching headers
‣Test hash-based fingerprinting in analytics systems
‣Benchmark different hash algorithms for performance-critical code paths
‣Generate checksums for synthetic test datasets

Best Practices

Choosing the Right Algorithm

▶For file checksums and deduplication (non-security): MD5 or SHA-256 both work; MD5 is faster
▶For digital signatures, certificates, and code signing: SHA-256 minimum — SHA-384 for government compliance
▶For password storage: use bcrypt, Argon2id, or PBKDF2 — never raw SHA-256 (too fast to brute-force)
▶For HMAC/API signatures: SHA-256 is the industry standard (AWS, GitHub, Stripe all use HMAC-SHA256)
▶For blockchain and cryptocurrency: SHA-256 (Bitcoin) or Keccak-256/SHA-3 (Ethereum)
▶For maximum security (classified/defense): SHA-512 or SHA-3
▶Avoid MD5 and SHA-1 for any new security application — they are cryptographically broken
▶For modern applications: SHA-256 is almost always the right choice

Common Mistakes to Avoid

▶Never use raw SHA-256 to hash passwords directly — it's too fast; use bcrypt/Argon2/PBKDF2
▶Never confuse hash functions with encryption — hashes are one-way; encryption is reversible
▶Always include a random salt when hashing passwords to prevent rainbow table attacks
▶Don't compare hashes with string equality in security-critical code — use constant-time comparison to prevent timing attacks
▶Don't assume the same input always produces the same hash across languages (encoding differences matter)
▶Always hash the entire input — partial hashing gives false assurance
▶When verifying downloaded files, use SHA-256 or higher — MD5 checksums can be forged
▶Don't use CRC32 as a hash — it's an error-detection code, not a cryptographic hash

Hash Examples by Category

Hash Verification Examples

Ubuntu 22.04 ISO SHA-256: `10f19c5b2b8d6db711582e0e27f5116296c34fe4b313ba45f9b201a5007056cb`
Node.js v20 tarball SHA-256: verify with `sha256sum node-v20.x.tar.gz`
Windows installer SHA-256: paste in `Get-FileHash installer.exe -Algorithm SHA256` in PowerShell
Python package hash: pip lock files store `sha256:` hashes for each package
npm package integrity: `sha512-` prefix in package-lock.json
Docker image digest: `sha256:abc123...` in `docker pull image@sha256:...`

String Hash Examples

MD5("hello"): `5d41402abc4b2a76b9719d911017c592`
SHA-1("hello"): `aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d`
SHA-256("hello"): `2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824`
SHA-512("hello"): `9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043`
MD5(""): `d41d8cd98f00b204e9800998ecf8427e` (empty string hash)
SHA-256("Hello" vs "hello"): completely different hashes (case-sensitive)

API Signature Examples

AWS S3 request signature: HMAC-SHA256(signing_key, string_to_sign)
GitHub webhook: HMAC-SHA256(secret, payload) → compare to `X-Hub-Signature-256` header
Stripe webhook: HMAC-SHA256(secret, timestamp+payload) → verify `Stripe-Signature`
JWT HS256: HMAC-SHA256(base64url(header)+'.'+base64url(payload), secret)
Generic API: `Authorization: HMAC-SHA256 nonce=..., timestamp=..., signature=...`
SRI hash: `<script integrity="sha256-abc123..." crossorigin>` for CDN asset verification

Frequently Asked Questions

What is the difference between a hash and encryption?▾

Encryption is reversible — you can decrypt the ciphertext back to plaintext using the correct key. Hashing is one-way — you cannot recover the original input from the hash, no matter what. This is why passwords should be hashed (not encrypted): even if the hash database is stolen, the original passwords cannot be recovered by reversing the hash.

Can I use SHA-256 to store passwords?▾

No — raw SHA-256 is too fast for password storage. An attacker with a GPU can test billions of SHA-256 hashes per second. Instead, use a deliberately slow algorithm: bcrypt, Argon2id (recommended), or PBKDF2. These are designed for password hashing — they add random salts, iterate thousands of times, and resist GPU-based cracking attacks.

Is MD5 completely broken and unsafe to use?▾

MD5 is cryptographically broken for security applications — collisions can be generated in seconds, and MD5 password databases have been cracked. However, it's still perfectly safe for non-security uses: deduplicating files, generating cache keys, or producing checksums where an adversary has no incentive to forge. The key question is: does an attacker benefit from producing a collision? If no, MD5 works fine.

What is an HMAC and when do I need it?▾

HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to produce a signature that proves a message is genuine and hasn't been tampered with. Use HMAC when you need authentication (proof of sender), not just integrity (proof of unchanged). Common uses: API request signing (AWS, GitHub, Stripe), webhook validation, and JWT HS256 tokens.

Why do the same words produce completely different hashes?▾

The avalanche effect: cryptographic hash functions are designed so that any single-bit change to the input changes approximately 50% of the output bits. This is intentional — it prevents attackers from discovering patterns in the input by comparing similar hashes. 'Hello' and 'hello' produce completely different SHA-256 hashes because one character's case differs.

Is my data secure when using this hash generator?▾

Yes. The hash generator runs entirely in your browser using the Web Crypto API — no input is ever sent to any server. You can verify this in browser DevTools (Network tab: no outgoing requests while hashing). Once you close the page, your input is gone — nothing is logged or stored. This makes the tool safe for hashing sensitive strings like API keys, passwords, or personal data.