HomeGeneratorsSecurityHash Generator

Hash Generator

Security

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text instantly. All hashing runs in your browser — nothing is uploaded or stored.

MD5
SHA-1
SHA-256
SHA-384
SHA-512

What is a Hash?

A Hash Generator takes any text input and produces its cryptographic hash — a fixed-length fingerprint computed by a hash algorithm. This tool generates five hashes simultaneously: MD5, SHA-1, SHA-256, SHA-384, and SHA-512. All computation runs in your browser using the built-in Web Crypto API and a pure JavaScript MD5 implementation — nothing is transmitted to any server.

A hash is deterministic and one-way: the same input always produces the same output, but the original input cannot be reconstructed from the hash. A single character change anywhere in the input produces a completely different hash — this property, called the avalanche effect, is what makes hashes useful for integrity verification. The SHA-256 hash of "hello" starts with 2cf24db... and the hash of "Hello" (capital H) is an entirely different 64-character string.

Hash functions are fundamental to modern software: Git uses SHA-1 (transitioning to SHA-256) to identify every commit and file object; Linux package managers publish SHA-256 checksums alongside downloads so users can verify integrity; HTTPS certificate signing uses SHA-256; most API webhook verification systems use HMAC-SHA256 to prove request authenticity. Understanding which algorithm to use and why is one of the foundational skills in backend and security development.

For generating cryptographically random API keys and tokens (rather than hashing known text), use the API Key Generator. For strong passwords, use the Password Generator, which produces random credentials rather than hashes.

How to use this Hash calculator

  1. Type or paste your text into the Text to Hash field. The hashes update automatically as you type.
  2. Read the five hash outputs — MD5, SHA-1, SHA-256, SHA-384, and SHA-512 appear simultaneously.
  3. Copy the hash you need using the copy button next to each output.
  4. Compare against an expected value — if the hashes match, the input text is identical. If they differ, even by one character, the hashes will be completely different.

Formula & Methodology

SHA-1, SHA-256, SHA-384, SHA-512 are computed using the browser's built-in crypto.subtle.digest() API — the same cryptographic implementation used by the browser for HTTPS. The text is encoded as UTF-8 bytes using TextEncoder, passed to crypto.subtle.digest(), and the resulting ArrayBuffer is converted to a lowercase hex string.

MD5 is computed using a pure JavaScript implementation of RFC 1321 — synchronous, no external library, running entirely in the browser. The implementation is a standard LCG-based MD5 using 32-bit integer arithmetic.

Important limitations:
- MD5 and SHA-1 are cryptographically broken — do not use them for new security applications. Use SHA-256 or higher.
- This tool hashes text (UTF-8 encoded). File hashing requires a different approach (reading the file as an ArrayBuffer).
- The tool does not perform HMAC — it computes plain hashes only.
Frequently Asked Questions
What is a hash function?
A hash function takes an input of any length and produces a fixed-length output string called a hash or digest. The same input always produces the same hash, but even a tiny change to the input produces a completely different hash. Hash functions are one-way — you cannot reverse a hash back to the original input. They are used to verify data integrity, store passwords securely, generate checksums, and create digital signatures.
What is the difference between MD5, SHA-1, SHA-256, SHA-384, and SHA-512?
These are different hash algorithms with different output lengths and security strengths. MD5 produces a 128-bit (32-character hex) hash — it is fast but cryptographically broken and should not be used for security purposes, only for checksums and legacy compatibility. SHA-1 produces a 160-bit (40-character) hash and is also considered insecure for cryptographic use. SHA-256 produces a 256-bit (64-character) hash and is the current standard for most security applications. SHA-384 and SHA-512 produce longer hashes (96 and 128 hex characters) offering higher collision resistance, used in high-security contexts.
When should I use SHA-256 versus SHA-512?
SHA-256 is the right default for most applications — password hashing (with bcrypt/Argon2 layered on top), file checksums, HMAC signatures, and JWT tokens. SHA-512 is preferred when working on 64-bit platforms where it runs at the same speed as SHA-256, or when your application requires stronger collision resistance (e.g. signing long-term certificates or sensitive documents). For web APIs, SHA-256 is the standard — it is what AWS Signature Version 4, GitHub webhooks, and most HMAC implementations use.
Is MD5 safe for passwords?
No. MD5 is completely unsuitable for password hashing. It is far too fast — modern hardware can compute billions of MD5 hashes per second, making brute-force attacks trivial. MD5 is also cryptographically broken — collision attacks have been demonstrated. For password storage, use bcrypt, scrypt, or Argon2, which are deliberately slow and memory-hard. MD5 is only appropriate for non-security uses: file integrity checksums, cache keys, and legacy systems that cannot be migrated.
How are these hashes used in software development?
Common uses: file integrity verification (compute SHA-256 of a downloaded file and compare against the published checksum); API request signing (HMAC-SHA256 of the request body ensures it was not tampered with in transit); database deduplication (hash a record's key fields to quickly detect duplicates); cache keys (hash a query or input to generate a stable cache key); content-addressable storage (Git uses SHA-1/SHA-256 to identify every commit and file object by its hash).
What does 'all hashing runs in the browser' mean?
The hash values shown by this tool are computed entirely within your web browser using the built-in Web Crypto API (for SHA-1, SHA-256, SHA-384, SHA-512) and a pure JavaScript MD5 implementation. No text you enter is sent to any server, stored in a database, or logged anywhere. This is important when hashing sensitive text like API secrets or connection strings for debugging — the content never leaves your device.
Can I use this to verify a file checksum?
This tool hashes text input, not files. To verify a file checksum, paste the file's content as text if it is a text file, or use a command-line tool: `sha256sum filename` on Linux/macOS, or `Get-FileHash filename` in Windows PowerShell. For comparing the SHA-256 of a downloaded file against a published checksum, the command-line approach is faster and more reliable than a browser tool.
What is HMAC and how is it different from a plain hash?
HMAC (Hash-based Message Authentication Code) is a hash that incorporates a secret key — it proves both that the message was not tampered with AND that the sender knows the secret. A plain hash proves only integrity (content unchanged) but not authenticity (who sent it). HMAC-SHA256 is used in webhook signature verification (Stripe, GitHub, Razorpay all use it), JWT signing, and AWS API request authentication. This tool generates plain hashes; for HMAC you need to implement it in code using the `crypto.createHmac()` API (Node.js) or `crypto.subtle.importKey()` + `crypto.subtle.sign()` (browser).
Is a longer hash always more secure?
Longer hashes have more possible values, making collisions (two different inputs producing the same hash) exponentially harder to find. SHA-512 has 2^512 possible outputs versus SHA-256's 2^256 — but SHA-256 already has far more possible values than any attack is remotely feasible against. The practical security difference between SHA-256 and SHA-512 is negligible for most applications. Choose based on your platform (SHA-512 is faster on 64-bit CPUs) and your ecosystem's conventions, not on the assumption that SHA-512 is 'more secure' in a meaningful sense.
Can two different texts produce the same hash (collision)?
Theoretically yes — any hash function with a finite output can produce collisions since there are infinite possible inputs. In practice, no two meaningful inputs have ever been shown to produce the same SHA-256 or SHA-512 hash. MD5 and SHA-1 collisions have been demonstrated (the 'SHAttered' attack against SHA-1 in 2017, MD5 collisions since 2004), which is why they are no longer used for security. For SHA-256 and above, the probability of an accidental collision is so low it can be treated as zero for all practical purposes.

Related Calculators

security
Password Generator
Generate strong, random passwords with customisable length and charact
security
API Key Generator
Generate cryptographically secure API keys in hex, base62, or prefixed
dev
UUID/GUID Generator
Generate RFC 4122 version 4 UUIDs (GUIDs) instantly for development an