Tip: Ctrl+Enter to generate hashes
What this tool does
Free hash generator -- generate MD5, SHA-256, SHA-512 hashes from text and files online
This free hash generator computes five cryptographic hash algorithms -- MD5, SHA-1, SHA-256, SHA-384, and SHA-512 -- simultaneously from any text input or file. For text, simply type or paste your input and click Generate Hashes. For files, use the File tab with drag-and-drop or the file browser to hash any file up to the size your browser can handle in memory. All five algorithm outputs appear instantly with one-click copy buttons and an optional uppercase toggle, making it easy to compare hashes or use them in documentation, code comments, or security audits.
All hashing runs entirely in your browser with zero server involvement. SHA-1, SHA-256, SHA-384, and SHA-512 use the browser's native Web Crypto API -- a hardware-accelerated, FIPS-compliant implementation built into every modern browser. MD5 uses a pure JavaScript implementation since the Web Crypto API specification does not include MD5 (intentionally, due to its broken cryptographic status). The result is a tool that is fast, private, and completely offline -- your input text and file contents never leave your device.
Hash generators have a wide range of use cases across security, development, and data integrity workflows. Developers use SHA-256 hashes to sign API requests, verify file downloads, generate deterministic identifiers, and create checksums for build artifacts. Security teams use file hashing in digital forensics to prove that evidence has not been tampered with. System administrators use MD5 or SHA-256 checksums to verify that downloaded ISOs and packages match the publisher's published values. Cryptographers and researchers use this tool to quickly explore the output of different hash functions on the same input to study the avalanche effect and algorithm behavior.
Algorithms and features
MD5 (128-bit)
Produces a 32-character hex hash. Cryptographically broken -- use only for non-security checksums like verifying accidental file corruption.
SHA-1 (160-bit)
Produces a 40-character hex hash. Deprecated for security use after 2017 collision attacks. Still used in legacy systems and Git (being migrated to SHA-256).
SHA-256 (256-bit)
The current security standard. Used in TLS certificates, Bitcoin, JWT, Git, and most modern cryptographic systems. Recommended for all security-sensitive applications.
SHA-384 (384-bit)
Part of the SHA-2 family. Provides additional collision resistance over SHA-256 with a longer output. Used in some TLS cipher suites and government applications.
SHA-512 (512-bit)
Largest output in this tool. Faster than SHA-256 on 64-bit processors and provides maximum collision resistance. Used where the longest possible hash output is required.
File hashing
Hash any file locally via drag-and-drop or file browser. Computes all 5 algorithms simultaneously. Used for verifying software downloads and forensic evidence integrity.
Web Crypto API
SHA algorithms use the browser's native hardware-accelerated crypto implementation -- the same engine used by TLS in your browser.
100% client-side
Nothing is transmitted to any server at any point. Your text and file contents remain on your device and are processed entirely in JavaScript and the browser crypto engine.
Uppercase toggle
Switch between lowercase and uppercase hex output with one click. Some systems require uppercase checksums -- toggle without recomputing.
One-click copy
Each hash has its own Copy button that writes the current case (upper or lower) to the clipboard and confirms with a visual 'Copied!' state.
Examples
Hash generator examples -- common use cases and what the output looks like
These examples show real hash outputs for different inputs and explain when to use each algorithm.
ExcellentSHA-256 -- production-ready file integrity checksum
Input: ubuntu-24.04-desktop-amd64.iso
SHA-256: 8762f7e74e4d7745f5a8d1d04f4df35e
b04de3a4dab3f08a0e3d7c9f2b5e6c11
SHA-256: 8762f7e74e4d7745f5a8d1d04f4df35e
b04de3a4dab3f08a0e3d7c9f2b5e6c11
A SHA-256 hash of a downloaded ISO file, compared to the checksum published by the software vendor, confirms the file is authentic and unmodified. Any tampering -- even a single bit change -- would produce a completely different hash. This is the gold standard for verifying software downloads and is used by Linux distributions, security tools, and every major software repository.
GoodSHA-256 of a string -- API request signing
Input: "Hello, World!"
SHA-256: dffd6021bb2bd5b0af676290809ec3a5
3191de30f7a6e99b72ad3afe5c8a4a90
SHA-256: dffd6021bb2bd5b0af676290809ec3a5
3191de30f7a6e99b72ad3afe5c8a4a90
SHA-256 hashes of strings are used in HMAC signatures for API authentication (AWS Signature v4, GitHub webhook signatures), JWT token verification, and Git object IDs. The 64-character hex output is deterministic -- the same string always produces the same hash -- making it ideal for creating verifiable, reproducible identifiers without storing sensitive data.
FairSHA-1 -- legacy system compatibility only
Input: "password123"
SHA-1: cbfdac6008f9cab4083784cbd1874f76
140ac0d2e16cc8ee86f1719044
SHA-1: cbfdac6008f9cab4083784cbd1874f76
140ac0d2e16cc8ee86f1719044
SHA-1 produces a 40-character hash and is still used in some legacy systems including older Git repositories and certain certificate validation workflows. However, practical collision attacks have been demonstrated since 2017, making SHA-1 unsuitable for any new security-sensitive application. Use SHA-256 instead unless you specifically need SHA-1 for a legacy compatibility requirement.
WarningMD5 -- non-security checksums only
Input: "admin"
MD5: 21232f297a57a5a743894a0e4a801fc3
Note: MD5("admin") is in every rainbow table -- never use for passwords
MD5: 21232f297a57a5a743894a0e4a801fc3
Note: MD5("admin") is in every rainbow table -- never use for passwords
MD5 is cryptographically broken and its 128-bit output is trivially found in rainbow table databases for any common string. The hash above is the MD5 of "admin" and appears in millions of cracking databases. MD5 is only acceptable for detecting accidental corruption (not malicious tampering) or for non-security deduplication. For password storage, always use bcrypt, Argon2, or PBKDF2 -- never plain MD5 or SHA.
ExcellentSHA-512 -- maximum collision resistance
Input: "Hello, World!"
SHA-512: 374d794a95cdcfd8b35993185fef9ba3
68ddcb61cc98cb0df43ef90f9b8e7b82
3f7e10caed7fc6e4bed34b50f51a1b2f
1f2c97a5bcb11e1ef34fc0c5f05e7ddd
SHA-512: 374d794a95cdcfd8b35993185fef9ba3
68ddcb61cc98cb0df43ef90f9b8e7b82
3f7e10caed7fc6e4bed34b50f51a1b2f
1f2c97a5bcb11e1ef34fc0c5f05e7ddd
SHA-512 produces a 128-character hex hash (512 bits) -- the largest output available in this tool. It is faster than SHA-256 on modern 64-bit processors due to hardware optimizations, and provides the greatest margin against future advances in collision attacks. SHA-512 is used in high-security applications, some TLS cipher suites, and as the underlying primitive in password hashing schemes like PBKDF2-SHA512.
FAQ
Frequently asked questions about hash generators, MD5, SHA-256, and cryptographic hashing
What is a hash generator and what does it do?
A hash generator is a tool that applies a cryptographic hash function to any input -- text, a password, or a file -- and produces a fixed-length hexadecimal string called a digest or hash. The same input always produces the same hash, but even a single character change in the input produces a completely different output. Hash generators are used for password storage, file integrity verification, digital signatures, data deduplication, and checksums in software development and security workflows.
What is the difference between MD5, SHA-1, SHA-256, and SHA-512?
These are all cryptographic hash algorithms but with different output sizes and security levels. MD5 produces a 128-bit (32-character) hash and is cryptographically broken -- collision attacks are practical. SHA-1 produces a 160-bit hash and is also deprecated for security use after collision attacks were demonstrated in 2017. SHA-256 produces a 256-bit hash and is the current security standard used in TLS, Bitcoin, and JWT. SHA-512 produces a 512-bit hash and offers greater collision resistance. For any security-sensitive use, always choose SHA-256 or SHA-512.
Is it safe to generate password hashes in this tool?
Yes -- all hashing in this tool runs entirely in your browser using the Web Crypto API (for SHA algorithms) and a client-side JavaScript implementation (for MD5). Nothing you type or upload is transmitted to any server. The tool is completely offline once the page loads. However, note that for actual password storage in applications, you should use a dedicated password hashing function like bcrypt, Argon2, or PBKDF2 rather than plain SHA-256 -- these algorithms are intentionally slow and include salting to resist rainbow table attacks.
What is SHA-256 used for in real applications?
SHA-256 is used in an enormous range of security-critical systems. In TLS/HTTPS, SHA-256 is used to sign certificates that authenticate websites. Bitcoin and most cryptocurrencies use SHA-256 for proof-of-work mining. Git uses SHA-256 (previously SHA-1) to generate commit identifiers. JSON Web Tokens (JWTs) use HMAC-SHA-256 for signature verification. Code signing, software package verification, and digital forensics all rely on SHA-256 checksums. It is also used in password hashing schemes as the underlying primitive for PBKDF2-SHA256.
Can I use this tool to verify file integrity checksums?
Yes -- the File tab accepts any file and computes its MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes simultaneously. To verify a file download, compute the SHA-256 hash of the downloaded file in this tool and compare it to the checksum published by the software vendor. An exact match confirms the file was not corrupted or tampered with during download. This is how Linux distributions, software repositories, and security tools distribute verified downloads. The file is processed entirely in your browser and never uploaded.
Why is MD5 no longer recommended for security?
MD5 was broken in 2004 when researchers demonstrated practical collision attacks -- meaning it is computationally feasible to create two different inputs that produce the exact same MD5 hash. This makes MD5 unusable for digital signatures, certificate validation, or any security context where uniqueness matters. In 2008, researchers used MD5 collisions to forge a rogue CA certificate, demonstrating real-world exploitability. MD5 is still acceptable for non-security purposes like detecting accidental file corruption or deduplicating data, but should never be used for password hashing or authentication.
What is the difference between hashing and encryption?
Hashing and encryption are fundamentally different operations. Encryption is reversible -- given the correct key, you can decrypt an encrypted value back to the original plaintext. Hashing is a one-way function -- there is no key and no mathematical way to reverse a hash to recover the original input (without brute force). Encryption is used when you need to recover the original data later, such as encrypting messages or files. Hashing is used when you only need to verify that a given input matches a stored hash, such as password verification, without ever storing or recovering the actual password.
How do I use SHA-256 to verify a file download?
First, find the official SHA-256 checksum published by the software vendor -- this is usually listed on the download page or in a separate .sha256 or checksums.txt file. Then use the File tab in this tool to select the downloaded file and wait for the hashes to be computed. Find the SHA-256 row in the results and compare it character by character to the published checksum. If they match exactly, your download is authentic and unmodified. If they differ, the file may be corrupted or tampered with and should not be used.
What is an avalanche effect in hash functions?
The avalanche effect is a fundamental property of cryptographic hash functions: changing even a single bit of the input should cause approximately 50% of the output bits to change. In practice, this means that two nearly identical inputs -- such as 'password' and 'Password' -- produce completely unrelated hashes with no discernible relationship. The avalanche effect is what makes hash functions resistant to pattern analysis and ensures that an attacker cannot use a known hash to make educated guesses about similar inputs. It is one of the key properties that distinguishes cryptographic hash functions from simple checksums.
Should I use SHA-256 or SHA-512 for my application?
Both SHA-256 and SHA-512 are considered cryptographically secure for all current use cases. SHA-256 is more widely deployed and is the default choice for most applications including TLS certificates, Bitcoin, and JWT. SHA-512 offers a larger output (512 bits vs 256 bits) which provides additional margin against future attacks, and can be faster than SHA-256 on 64-bit processors due to hardware optimizations. For password hashing specifically, neither SHA-256 nor SHA-512 alone is recommended -- use bcrypt, Argon2, or PBKDF2 with many iterations instead, as these are designed specifically to be computationally expensive.
Related Developer & Security Tools
Need a disposable email address?Generate a free, instant throwaway -- zero signup, zero trace.
Get Free Temp Mail ->