About Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files. Free hash generator for verifying checksums and data integrity — runs locally, nothing sent to a server.
How to use
- Paste text into the input or drag-drop a file onto the tool. Text is hashed as UTF-8 bytes, so trailing newlines, BOM markers, and CRLF vs LF line endings produce different hashes — this is intentional and is what makes hashing useful for integrity. Quick sanity check: SHA-256 of the exact 8-character string
password is 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8; if you get a different value, your input has hidden whitespace.
- Pick one or more algorithms. Output sizes: MD5 = 128 bits / 32 hex chars, SHA-1 = 160 bits / 40 chars, SHA-256 = 256 bits / 64 chars, SHA-512 = 512 bits / 128 chars. SHA-256 is the modern default — it is what Git uses for commit IDs (since SHA-1 was deprecated in 2018), what TLS certificates sign with, what Bitcoin mines on, and the standard for digital signatures.
- Avoid MD5 and SHA-1 for anything security-relevant. Both are cryptographically broken: SHA-1 collisions were demonstrated in 2017 (the SHAttered attack), and MD5 collisions can be generated in seconds on a laptop. They are still acceptable for non-security uses like cache keys, file deduplication, and download integrity checks where a malicious actor cannot influence the input. Use SHA-256 if there is any doubt.
- Verify file checksums by computing the hash locally and comparing against the publisher's published value. ISO downloads, package managers, and signed releases all publish a SHA-256 next to the download — match it character-for-character before you run the installer. A mismatch means the file was corrupted in transit or, worse, swapped by a man-in-the-middle attacker. This is one of the few defenses against compromised mirrors.
- All hashing runs locally via the Web Crypto API (
crypto.subtle.digest) — the same primitive your browser uses for TLS handshakes. No bytes leave your machine, so it is safe to hash sensitive content like config files. That said, do not hash actual user passwords here: production password storage requires a memory-hard slow hash like Argon2id, bcrypt, or scrypt with a per-user salt — not raw SHA-256, which a GPU can compute at billions of guesses per second.
- Click any hash to copy. Hashes are case-insensitive in hex but conventionally lowercase. If you need HMAC (a hash combined with a secret key for API request signing, JWT validation, or webhook verification), this tool computes plain hashes only — HMAC-SHA256 requires the additional key parameter and the standard
H(K XOR opad || H(K XOR ipad || message)) construction.
- Pair with the Password Generator to create test data: generate a strong random string, hash it with SHA-256, and use the hash as a deterministic but secret-looking ID for fixtures. Or use the hash output directly as a versioning key — content-addressed storage systems like Git and IPFS hash the content itself to produce the identifier.
Frequently asked questions
What hash algorithm should I use?
For any security-sensitive purpose — password storage, digital signatures, certificate verification, blockchain transactions — use SHA-256 or SHA-512. These algorithms have no known practical collision attacks as of 2025. MD5 and SHA-1 are considered cryptographically broken: researchers have demonstrated real-world collision attacks against both. However, MD5 is still acceptable for non-security checksums like verifying file downloads or generating cache keys where collision resistance is not critical.
MD5 vs SHA-256?
MD5 produces a 128-bit hash (32 hex characters) and is extremely fast, but it has been broken since 2004 when researchers demonstrated practical collision attacks. SHA-256 produces a 256-bit hash (64 hex characters) with vastly stronger collision resistance — finding a collision would require approximately 2^128 operations, which is computationally infeasible with current and foreseeable technology. SHA-256 is the industry standard for security applications including TLS/SSL certificates, Git commit hashes, and cryptocurrency mining.
Can I verify a file checksum?
Yes. Upload or drag-and-drop any file (ISO images, software installers, firmware updates) to generate its hash. Then compare the result against the checksum provided by the file publisher on their download page. If the two hashes match exactly, the file is authentic and uncorrupted. This is a critical security practice — it protects against man-in-the-middle attacks where a malicious actor could swap a legitimate download with a compromised version.
Is it safe to hash data here?
Yes. All hashing runs entirely in your browser using the Web Crypto API, a native browser feature that performs cryptographic operations without any server communication. No data leaves your device at any point. That said, do not paste actual passwords into any web tool — passwords should be hashed server-side using specialized algorithms like bcrypt, scrypt, or Argon2 that include salting and key stretching, not raw SHA-256.
Can you reverse a hash?
No. Cryptographic hash functions are one-way by mathematical design — they transform input data into a fixed-length output, but the process cannot be reversed. There is no function that takes a SHA-256 hash and returns the original input. The only way to 'crack' a hash is to try many possible inputs until you find one that produces the same hash (brute force) or to look it up in a precomputed table of common inputs and their hashes (rainbow table). This is why strong, long, random inputs are critical — they resist both attack methods.
What is a hash collision and why does it matter?
A hash collision occurs when two different inputs produce the same hash output. Since hash outputs are fixed-length (e.g., 256 bits for SHA-256) but inputs can be infinitely long, collisions must theoretically exist. What matters is whether anyone can find one intentionally. For SHA-256, no practical collision has ever been found. For MD5 and SHA-1, collisions can be generated in seconds on modern hardware, which is why those algorithms are deprecated for security use.
What is HMAC and how is it different from a regular hash?
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce an authentication tag. While a regular hash only verifies data integrity (the data has not changed), HMAC also verifies authenticity (the data came from someone who knows the secret key). HMAC-SHA256 is widely used in API authentication, JWT token signing, and webhook signature verification. This tool generates plain hashes — for HMAC you would also need to provide a secret key.
Part of ToolFluency’s library of free online tools for Developer Tools. No account needed, no data leaves your device.