DevKits

Hash Generator (MD5, SHA-1, SHA-256, SHA-512)

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes of any text online. All hashing happens in your browser using the Web Crypto API.

Last updated:

MD5
SHA-1
SHA-256
SHA-512

MD5 and SHA-1 are cryptographically broken and unsuitable for passwords or signatures. Use SHA-256+ for integrity, and bcrypt / scrypt / Argon2 for password storage.

Type text above to see the MD5, SHA-1, SHA-256, and SHA-512 hashes update live. Computed in your browser via the Web Crypto API.

What is Hash Generator?

A cryptographic hash function turns any input into a fixed-size fingerprint. It's one-way (you can't reverse it) and deterministic (same input always produces the same output). Common uses: checksums to detect corruption, fingerprints for change detection, and — with careful key-derivation functions — password storage.

How to generate hashes online

  1. 1Type or paste your text into the input field.
  2. 2MD5, SHA-1, SHA-256, and SHA-512 hashes update live as you type.
  3. 3Click any hash's Copy button to grab it.
  4. 4Toggle between UTF-8 and hex input if your source is a hex-encoded binary.

Use Cases

File integrity check

Verify a download matches the publisher's SHA-256 checksum — a mismatch means the file was corrupted or tampered.

Content-addressed storage

Git, Docker, and IPFS name objects by their hash — same content, same address, automatic deduplication.

Etag / cache-busting

Hash a file's contents and use the first 8 hex chars as an ETag or filename suffix (`main.a1b2c3d4.js`) so caches invalidate on change.

HMAC and signature verification

SHA-256 is the building block for HMAC — used to sign webhooks and API requests.

Code Examples

SHA-256 in the browser

async function sha256(text) {
  const bytes = new TextEncoder().encode(text);
  const hash = await crypto.subtle.digest("SHA-256", bytes);
  return [...new Uint8Array(hash)].map(b => b.toString(16).padStart(2, "0")).join("");
}

Hashes in Python

import hashlib
hashlib.md5(b"hello").hexdigest()
hashlib.sha256(b"hello").hexdigest()

SHA-256 in Go

import (
    "crypto/sha256"
    "encoding/hex"
)

sum := sha256.Sum256([]byte("hello"))
fmt.Println(hex.EncodeToString(sum[:]))

Hashes from the shell

echo -n "hello" | md5sum
echo -n "hello" | sha256sum
shasum -a 256 file.zip

Key Concepts

MD5
128-bit output. Cryptographically broken since 2004 — collisions are cheap. Fine as a non-security fingerprint (e.g. dedup); never for signatures or passwords.
SHA-1
160-bit output. Collision attack demonstrated by Google in 2017. Deprecated for signatures; still fine as a git object id.
SHA-256 / SHA-2
256-bit output. The modern default. No practical attack. Used by Bitcoin, TLS certificates, Git object hashes (as of 2020+).
SHA-3 / Keccak
A different construction from SHA-2, standardized in 2015. Equally secure, less widely deployed. Same 256/384/512 output sizes.
Password hashing
Never use plain SHA-256 for passwords. Use bcrypt, scrypt, or Argon2 — they're deliberately slow and salt each password separately.

Tips & Best Practices

  • Always verify against SHA-256 or better. MD5 and SHA-1 checksums are still common but should be treated as advisory only.
  • Hash the raw bytes, not the text. `sha256("hello")` and `sha256("hello ")` (trailing space) are wildly different — invisible whitespace bites people.
  • When comparing hashes in code, use a constant-time comparison (`crypto.timingSafeEqual` in Node) to avoid timing side-channels.
  • For file hashing in the browser, stream chunks through `crypto.subtle.digest` — loading a 1GB file into memory first is a bad idea.

Frequently Asked Questions

Should I use MD5 for passwords?

No. MD5 and SHA-1 are cryptographically broken and unsuitable for password storage. Use a dedicated password hashing function such as bcrypt, scrypt, or Argon2 with a per-user salt.

Is my input sent to any server?

No. Hashing runs locally in your browser via the Web Crypto API (window.crypto.subtle). Your input never leaves your device.

Related Tools