Skip to content

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files

Digital Fingerprints for Anything

You downloaded a Linux ISO and the website lists a SHA-256 checksum next to the download link. How do you know the file wasn’t corrupted during the download, or worse, tampered with by a man-in-the-middle? You hash the file and compare. If the digests match, the file is identical to what the server published.

That’s what hash functions do. They take any input — a text string, a 4GB video file, a single character — and produce a fixed-length “fingerprint.” SHA-256 always outputs 64 hex characters. MD5 always outputs 32. Change one bit of the input and the entire output changes unpredictably. It’s a one-way function: you can’t reverse a hash back to the original data.

This tool computes MD5, SHA-1, SHA-256, and SHA-512 simultaneously from text or file input, all in your browser via the Web Crypto API.

Which Algorithm, and Why

SHA-256 is the workhorse. It’s what Bitcoin uses for proof-of-work, what Git uses for commit hashes (as of newer versions), and what most software checksums rely on. Use it by default.

SHA-512 produces a 128-character hex digest. Slightly slower on 32-bit systems, slightly faster on 64-bit. It’s overkill for most use cases, but some protocols specify it.

MD5 is cryptographically broken. Researchers demonstrated practical collision attacks back in 2004 — they created two different files with identical MD5 hashes. Don’t use it for security. It’s still fine as a quick non-security checksum for detecting accidental corruption.

SHA-1 is also broken. Google produced a SHA-1 collision (the “SHAttered” attack) in 2017. Git is migrating away from it. Like MD5, it’s acceptable for non-security checksums, but don’t rely on it when integrity against deliberate tampering matters.

Practical Scenarios

Verifying downloads. You grabbed the latest Node.js installer. The website shows sha256: abc123.... Hash the downloaded file here and compare. If they match, you’re good.

Deduplication. You’ve got 10,000 images in a folder and suspect there are duplicates. Hash each file — identical files produce identical hashes. Compare the digests instead of doing byte-by-byte file comparisons.

Build pipelines. CI/CD systems often hash build artifacts to detect changes. If the hash of your compiled binary matches the previous build’s hash, nothing changed and you can skip deployment.

Git internals. Every Git object — commits, trees, blobs — is addressed by its SHA hash. Understanding how hashing works makes Git’s content-addressable storage model click.

Don’t hash passwords with a plain SHA-256. It’s too fast — an attacker with a GPU can compute billions of SHA-256 hashes per second. For passwords, use the Password Hasher (PBKDF2) which adds salting and thousands of iterations to slow things down. If you need a keyed hash (for webhook signatures or API authentication), the HMAC Generator is what you want.

All hashing runs client-side. Your text and files stay in your browser. Close the tab and everything’s gone.

hash md5 sha1 sha256 sha512 security crypto

Related Tools

More in Security Tools