Hash Generator (MD5, SHA-1, SHA-256, SHA-512)
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes of any text online. All hashing happens in your browser using the Web Crypto API.
Last updated:
MD5 and SHA-1 are cryptographically broken and unsuitable for passwords or signatures. Use SHA-256+ for integrity, and bcrypt / scrypt / Argon2 for password storage.
Type text above to see the MD5, SHA-1, SHA-256, and SHA-512 hashes update live. Computed in your browser via the Web Crypto API.
What is Hash Generator?
A cryptographic hash function turns any input into a fixed-size fingerprint. It's one-way (you can't reverse it) and deterministic (same input always produces the same output). Common uses: checksums to detect corruption, fingerprints for change detection, and — with careful key-derivation functions — password storage.
How to generate hashes online
- 1Type or paste your text into the input field.
- 2MD5, SHA-1, SHA-256, and SHA-512 hashes update live as you type.
- 3Click any hash's Copy button to grab it.
- 4Toggle between UTF-8 and hex input if your source is a hex-encoded binary.
Use Cases
File integrity check
Verify a download matches the publisher's SHA-256 checksum — a mismatch means the file was corrupted or tampered.
Content-addressed storage
Git, Docker, and IPFS name objects by their hash — same content, same address, automatic deduplication.
Etag / cache-busting
Hash a file's contents and use the first 8 hex chars as an ETag or filename suffix (`main.a1b2c3d4.js`) so caches invalidate on change.
HMAC and signature verification
SHA-256 is the building block for HMAC — used to sign webhooks and API requests.
Code Examples
SHA-256 in the browser
async function sha256(text) {
const bytes = new TextEncoder().encode(text);
const hash = await crypto.subtle.digest("SHA-256", bytes);
return [...new Uint8Array(hash)].map(b => b.toString(16).padStart(2, "0")).join("");
}Hashes in Python
import hashlib
hashlib.md5(b"hello").hexdigest()
hashlib.sha256(b"hello").hexdigest()SHA-256 in Go
import (
"crypto/sha256"
"encoding/hex"
)
sum := sha256.Sum256([]byte("hello"))
fmt.Println(hex.EncodeToString(sum[:]))Hashes from the shell
echo -n "hello" | md5sum
echo -n "hello" | sha256sum
shasum -a 256 file.zipKey Concepts
- MD5
- 128-bit output. Cryptographically broken since 2004 — collisions are cheap. Fine as a non-security fingerprint (e.g. dedup); never for signatures or passwords.
- SHA-1
- 160-bit output. Collision attack demonstrated by Google in 2017. Deprecated for signatures; still fine as a git object id.
- SHA-256 / SHA-2
- 256-bit output. The modern default. No practical attack. Used by Bitcoin, TLS certificates, Git object hashes (as of 2020+).
- SHA-3 / Keccak
- A different construction from SHA-2, standardized in 2015. Equally secure, less widely deployed. Same 256/384/512 output sizes.
- Password hashing
- Never use plain SHA-256 for passwords. Use bcrypt, scrypt, or Argon2 — they're deliberately slow and salt each password separately.
Tips & Best Practices
- ▸Always verify against SHA-256 or better. MD5 and SHA-1 checksums are still common but should be treated as advisory only.
- ▸Hash the raw bytes, not the text. `sha256("hello")` and `sha256("hello ")` (trailing space) are wildly different — invisible whitespace bites people.
- ▸When comparing hashes in code, use a constant-time comparison (`crypto.timingSafeEqual` in Node) to avoid timing side-channels.
- ▸For file hashing in the browser, stream chunks through `crypto.subtle.digest` — loading a 1GB file into memory first is a bad idea.
Frequently Asked Questions
Should I use MD5 for passwords?
No. MD5 and SHA-1 are cryptographically broken and unsuitable for password storage. Use a dedicated password hashing function such as bcrypt, scrypt, or Argon2 with a per-user salt.
Is my input sent to any server?
No. Hashing runs locally in your browser via the Web Crypto API (window.crypto.subtle). Your input never leaves your device.
Related Tools
JWT Decoder
Decode JSON Web Tokens (JWT) to inspect the header, payload, and signature. Runs entirely in your browser — tokens are never sent to any server.
JWT Generator
Create signed JSON Web Tokens with HMAC-SHA algorithms. Set custom claims, expiration, and secret — everything runs locally in your browser.
HMAC Generator
Compute HMAC signatures with SHA-1, SHA-256, SHA-384, or SHA-512. Used to verify API requests, sign webhooks, and authenticate messages.
JSON Formatter
Format, beautify, and validate JSON online. Free, fast, and 100% local — your data never leaves your browser.
JSON Validator
Validate JSON online with instant error location and structure statistics (depth, keys, node types). 100% local — your JSON never leaves the browser.
JSON → TypeScript
Convert JSON to TypeScript interfaces instantly. Generate strongly-typed TS types from any JSON sample.