Skip to content
Processing locally — files never leave your device

Hash Generator

Compute cryptographic hashes for text using the browser SubtleCrypto API. Inputs never leave the page.

Bloggers — embed this widget for free

Add this tool to your own site with one line of HTML. Free forever — just keep the small credit link.

How to use Hash Generator

  1. Type or paste your text into the input area.
  2. Hashes update automatically as you type.
  3. Click any hash to copy it to your clipboard.

What a cryptographic hash actually is

A hash function takes input of any length — a word, a novel, a disk image — and produces a fixed-size fingerprint called a digest. The same input always yields the same digest, and two different inputs are practically guaranteed to yield different ones (collision resistance). That combination makes hashes the standard way to verify integrity: if the digest matches, the content matches. Because the digest is the whole point — a value you compare, not data you transmit — every algorithm here runs in the page and nothing you type is sent anywhere.

The avalanche effect: one character, a completely new digest

Try it in the tool above. The SHA-256 of hello begins 2cf24dba5fb0…; capitalize one letter to Hello and it becomes 185f8db32271… — every part of the digest changes, not just one corner of it. A well-designed hash flips about half of its output bits for any single-bit change in the input. This is what makes digests useful as fingerprints: a near-identical file does not get a near-identical hash, so even the smallest corruption or tampering is unmistakable.

Digest sizes at a glance

  • MD5 — 128 bits, 32 hex characters. Broken for security since 2004.
  • SHA-1 — 160 bits, 40 hex characters. Practical collisions demonstrated in 2017.
  • SHA-256 — 256 bits, 64 hex characters. The modern default.
  • SHA-512 — 512 bits, 128 hex characters. Often faster on 64-bit CPUs.

Why MD5 and SHA-1 are deprecated

Both algorithms have practical collision attacks: researchers can construct two different inputs that hash to the same digest. MD5 collisions have been cheap to produce since 2004, and they have been weaponized — the Flame malware used one to forge a Microsoft code-signing certificate. SHA-1 fell in 2017 when Google's SHAttered project published two different PDFs with identical SHA-1 digests. Collisions matter wherever a hash stands in for trust: certificates, signatures, deduplication. They matter less for accidental-corruption checks, which is why MD5 checksums still float around on download pages — but for anything new, use SHA-256.

Hashing, encryption, and encoding are three different things

Developers mix these up constantly. Encoding (like Base64) transforms data so it survives transport and is trivially reversible by anyone. Encryption scrambles data so that only key holders can reverse it. Hashing destroys the data on purpose: the digest cannot be turned back into the input. So you encrypt a message you need to read later, encode binary you need to ship as text, and hash a value you only ever need to compare.

A note on passwords

Fast hashes are the wrong tool for passwords precisely because they are fast — a modern GPU can compute billions of SHA-256 digests per second, which makes brute-forcing leaked digests cheap. Password storage needs deliberately slow, salted functions: bcrypt, scrypt, or argon2 with a tuned work factor. Use this generator for checksums, cache keys, and fingerprints, not for anything a user types to log in.

Common uses

  • File integrity checks (download checksums)
  • Content-addressed storage (Git uses SHA-1; IPFS uses SHA-256)
  • Cache keys derived from content
  • Detecting changes between two versions of a string
  • Generating deterministic IDs from input

Related tools

Frequently asked questions

Are MD5, SHA-1, SHA-256, and SHA-512 secure for passwords?
No — none of these are appropriate for password storage. They are general-purpose hashes designed for speed. For passwords, use bcrypt, scrypt, or argon2 with a salt and a work factor. For data integrity, however, SHA-256 and SHA-512 are entirely fine.
When would I use which?
SHA-256 is the modern default for nearly everything: file checksums, content addressing, signatures. SHA-512 is faster on 64-bit hardware and gives a longer digest. SHA-1 and MD5 are broken for security but still appear in legacy systems and as cheap content fingerprints where collision resistance is not required.
Could my input end up in someone’s logs?
It cannot reach ours, because nothing is transmitted. SHA digests are produced by the browser’s SubtleCrypto API and MD5 is computed by JavaScript loaded into this page — so even a value derived from a password or token is hashed where you typed it.
Why does the same text always produce the same hash?
That's the defining property of a hash: deterministic for a given input. The flip side is that the same input always produces the same output, which is why naive password hashing without a salt is vulnerable — attackers can build lookup tables.
Can I hash a file?
This tool is for text. To hash a file, drop it into a file-aware tool (we may add one later); the math is the same, but the input is bytes from a file rather than a string.
Can a hash be reversed to get the original text back?
Not mathematically. A hash is a one-way function: infinitely many inputs map to each digest, so there is no inverse. What attackers actually do is guess — they hash billions of candidate inputs and compare. Short or common inputs ("password123") fall instantly to precomputed rainbow tables, which is why salts exist.
What is the avalanche effect?
A good hash flips roughly half of its output bits when a single input bit changes. Hash "hello" and "Hello" with SHA-256 and the two digests share no visible resemblance. This is deliberate: it means the digest reveals nothing about how similar two inputs are.
Is hashing the same as encryption?
No. Encryption is reversible by design — anyone with the key can recover the original. Hashing is one-way and keyless; there is nothing to decrypt. If you need to get data back, you want encryption; if you only need to verify or fingerprint data, you want a hash. Base64, for the record, is neither — it is just an encoding.

More tools you might find useful in the same flow.

Built by Muhammad Tahir · About