#️⃣ Hash Generator — MD5 SHA256 SHA512

Generate MD5, SHA-1, SHA-256 and SHA-512 hashes for text or files instantly. Free online hash calculator — runs in browser, nothing sent to any server.

Input Text

Hash Types

MD5 SHA-1 SHA-256 SHA-512

HMAC signing

Compare Hash (optional)

How to Use

Enter text or file

Type or paste text in the input, or switch to File mode and drag a file onto the drop zone.

Hashes generate instantly

MD5, SHA-1, SHA-256 and SHA-512 hashes are calculated automatically as you type.

Copy any hash

Click the copy icon next to any hash row. Optionally compare against a known hash value.

Frequently Asked Questions

What is a hash function? +

A hash function takes any input and produces a fixed-length output (hash). The same input always produces the same hash, but the hash cannot be reversed to get the original input. Used for data integrity, password storage, and checksums.

What is the difference between MD5, SHA-1, SHA-256, and SHA-512? +

They differ in output length and security. MD5 (128-bit) and SHA-1 (160-bit) are considered cryptographically broken and unsuitable for security purposes. SHA-256 and SHA-512 are part of the SHA-2 family and remain secure for most uses.

Can I use MD5 for password hashing? +

No — MD5 is not suitable for password hashing. Use bcrypt, Argon2, or scrypt instead. MD5 is only appropriate for non-security checksums like file integrity verification.

Can I generate a hash for a file? +

Yes — switch to File mode to hash any file. The SHA-256 hash of a file is its fingerprint: if even one byte changes, the hash completely changes.

Are the inputs sent to a server? +

No. All hashing runs in your browser. Text hashes use the Web Crypto API (SHA family) and a JavaScript MD5 implementation. Files are read locally with FileReader.

Complete Guide: Hash Generator

What Is Cryptographic Hashing and Why It Matters

A cryptographic hash function takes an input of any size and produces a fixed-length output (the "digest") with three key properties: determinism (same input always gives the same output), one-wayness (you cannot reverse the digest to recover the input), and collision resistance (it's computationally infeasible to find two different inputs with the same digest).

These properties make hashing fundamental to modern computing. Git uses SHA-1 (and newer commits use SHA-256) to identify every commit, tree, and blob — the hash is the ID. File download sites publish SHA-256 checksums alongside downloads so you can verify the file wasn't tampered with in transit. HTTPS certificate chains use SHA-256 for signature verification. Every time you log in with a password, the server computes a hash and compares it against the stored hash — never storing your actual password.

The algorithms on offer: MD5 (128-bit, fast, widely supported — broken for security but fine for checksums where collision attacks aren't a concern), SHA-1 (160-bit, deprecated for security — don't use in new systems), SHA-256 (256-bit, the current industry standard), SHA-512 (512-bit, more resistant to length-extension attacks).

How to Use the Hash Generator

Select Text or File mode at the top of the tool.
Text mode: type or paste your input — MD5, SHA-1, SHA-256, and SHA-512 hashes appear instantly as you type.
File mode: drag a file onto the drop zone. All four hashes are computed in the browser using the Web Crypto API and the FileReader API — the file never leaves your device.
Copy any hash using the icon next to each row.
Compare a hash: paste a known hash value into the comparison field to verify whether your input matches.

Code Examples

// Browser: SHA-256 using the Web Crypto API
async function sha256(message) {
  const encoded = new TextEncoder().encode(message);
  const hashBuffer = await crypto.subtle.digest('SHA-256', encoded);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}
const hash = await sha256('Hello, World!');
// 'dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d'

// Node.js: SHA-256 and HMAC
import { createHash, createHmac } from 'crypto';
const hash256 = createHash('sha256').update('data').digest('hex');
const hmac = createHmac('sha256', 'secret-key').update('data').digest('hex');
// HMAC: authenticated hash — proves both the data AND the key match

// File checksum (Node.js)
import { createReadStream } from 'fs';
const hash = createHash('sha256');
createReadStream('file.iso').pipe(hash);
hash.on('finish', () => console.log(hash.digest('hex')));

Common Mistakes to Avoid

Using MD5 or SHA-1 for security — MD5 has known collision attacks (two different inputs producing the same hash). SHA-1 was deprecated by NIST in 2011. Use SHA-256 or SHA-3 for anything security-relevant.
Hashing passwords with SHA-256 — Don't. Raw SHA hashes are fast (billions per second on a GPU), making them trivial to brute-force. Use bcrypt, Argon2, or scrypt — designed to be slow and memory-hard.
Forgetting to salt before hashing passwords — Even with bcrypt, each password must have a unique random salt to prevent rainbow table attacks. Good password libraries handle this automatically.
Treating equal hashes as equal data — Hash collisions, while rare with SHA-256, are theoretically possible. For critical verification (software signatures, certificates), use asymmetric signatures (RSA, ECDSA) not raw hashes.
Length-extension attacks on SHA-256 — If you compute HMAC(key, message) using raw concatenation, SHA-256's Merkle-Damgård construction makes it vulnerable. Use the createHmac API which handles this correctly.

Comparison with Alternatives

CRC32 is a fast non-cryptographic checksum used for error detection (not security). BLAKE2/BLAKE3 are faster than SHA-256 while maintaining similar security — used in Zcash, libsodium, and modern password managers. SHA-3 (Keccak) uses a different internal structure (sponge construction) that's immune to length-extension attacks. bcrypt/Argon2 for passwords (see above). HMAC (Hash-based Message Authentication Code) adds a secret key to the hash — proves both data integrity and authenticity.

For encoding binary hashes in a text-safe format, use the Base64 Encoder. For generating cryptographically strong random identifiers (not hash-based), use the UUID Generator.

Pro Tips

Verify downloads: After downloading a large file (Linux ISO, software installer), compute its SHA-256 hash and compare against the checksum published on the official site. One character difference = tampered file.
Content-addressable storage: Git's object model, IPFS, and many caching systems use SHA hashes as content IDs — if two files have the same hash, they're identical, no byte comparison needed.
Deduplication: Hash each file in a collection. Group by hash. Files with the same hash are duplicates — no need to byte-compare the contents.
HMAC for API authentication: Sign API requests with HMAC-SHA256 using a shared secret. This is how AWS Signature Version 4, Stripe webhook verification, and GitHub webhooks authenticate payloads.