Security Tool

Hash Generator — MD5, SHA-256 & More

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text or file. Verify checksums by comparing a known hash. All hashing runs in your browser using the Web Crypto API — nothing is sent to any server.

Web Crypto API Data never uploaded 5 algorithms File hashing

Input Text

Verify Hash (optional)

MD5
SHA-1
SHA-256
SHA-384
SHA-512

Pro — HMAC signing, batch file hashing, bcrypt/Argon2, API access

API access · Priority queue · Team workspace

Upgrade — $19/mo

Related Tools

HMAC Generator

Keyed hash signing

UUID Generator

Generate UUIDs

Password Generator

Secure passwords

Base64 Encode

Encode / decode

How It Works

STEP 1

Enter Text or File

Type or paste any text into the input panel, or choose a file using the file picker. Text is hashed character by character using UTF-8 encoding. Files are read as binary using the FileReader API and hashed in their raw byte format — the same way command-line tools like sha256sum and md5sum process files. Click Sample to load a demonstration string.

STEP 2

Hashes Generate Instantly

All five hashes — MD5, SHA-1, SHA-256, SHA-384, and SHA-512 — are computed simultaneously using the browser's native Web Crypto API (SHA family) and a JavaScript MD5 implementation. The Web Crypto API is a FIPS-validated cryptographic engine built into the browser, ensuring the same output as OpenSSL, Python hashlib, and server-side hash tools.

STEP 3

Copy or Verify

Copy any individual hash with its Copy button. To verify a checksum, paste the expected hash into the Verify box — the tool compares it against all five computed hashes and shows a green match or red mismatch badge. Toggle UPPERCASE to switch between lowercase hex (default) and uppercase hex output. Both formats are cryptographically identical.

Hash Generator Features

Five algorithms, file hashing, checksum verification — all in the browser

5 Hash Algorithms

MD5 (128-bit, 32 hex chars) — fast checksum, not for security. SHA-1 (160-bit, 40 hex) — legacy, deprecated for security use. SHA-256 (256-bit, 64 hex) — current standard for file integrity and digital signatures. SHA-384 (384-bit, 96 hex) — stronger variant used in TLS certificates. SHA-512 (512-bit, 128 hex) — maximum strength, used in password hashing schemes and high-security applications.

File Hashing

Hash any file — executables, archives, images, documents, or ISO files — by selecting it with the file picker. Files are read into memory using the FileReader API and hashed as raw binary data, producing the same hash as running sha256sum filename or md5sum filename in the terminal. Useful for verifying download integrity, confirming backup completeness, and detecting file tampering.

Checksum Verification

Paste any expected hash into the Verify box to compare against all five computed hashes simultaneously. A green "Match" badge confirms the file or text matches the expected value. A red "No match" badge means the content has been modified or the hash was corrupted. Comparison is case-insensitive so both abc123 and ABC123 match correctly.

Web Crypto API

SHA-1, SHA-256, SHA-384, and SHA-512 are computed by the browser's native crypto.subtle.digest() API — the same cryptographic engine used for HTTPS, WebAuthn, and JWT verification. This guarantees FIPS-140-validated output identical to OpenSSL. MD5 uses a pure-JavaScript implementation since MD5 was excluded from the Web Crypto spec due to its known vulnerabilities.

Uppercase / Lowercase Output

Toggle between lowercase hex output (a3f8...) and UPPERCASE hex output (A3F8...) to match the format expected by your system. Both formats are the same hash — hex digits are case-insensitive. Linux tools like sha256sum output lowercase by default. Windows CertUtil and some checksum files use uppercase. The toggle switches all five hashes simultaneously.

100% Private

All hashing runs locally in your browser. No text or file data is transmitted to any server. Safe for hashing confidential documents, proprietary software binaries, sensitive configuration files, personal data, and internal tools whose content must not be exposed to external services. Disconnect from the internet and the tool continues to work — confirming no server dependency.

Free vs Pro

FeatureFreePro
MD5, SHA-1, SHA-256, SHA-384, SHA-512
File hashing + checksum verify
HMAC-SHA256 signing
Batch file hashing
bcrypt / Argon2 hashing
REST API access
Upgrade to Pro — $19/mo

Frequently Asked Questions

MD5 produces a 128-bit (32 character) hash. SHA-1 produces 160 bits (40 characters). SHA-256 produces 256 bits (64 characters). Longer hashes are more resistant to collision attacks (two different inputs producing the same hash). MD5 and SHA-1 are cryptographically broken — known collision attacks exist for both. They remain useful for non-security checksum verification (detecting accidental corruption) but should not be used for digital signatures, password storage, or any security-critical purpose. SHA-256 is the current recommended minimum for security applications.

No — cryptographic hash functions are one-way by design. Given a hash output, it is computationally infeasible to recover the original input through the hash function itself. However, short or common inputs (passwords, dictionary words, short phrases) can be looked up in precomputed rainbow tables or brute-forced. This is why password hashing uses special algorithms (bcrypt, Argon2, scrypt) with salts and intentional computational cost, rather than fast hash functions like SHA-256.

Hash functions have the "avalanche effect" — any small change to the input, even a single bit, produces a completely different hash that appears unrelated to the original. This is a deliberate security property: if small changes produced similar hashes, it would be easier to search for inputs that produce a target hash. The avalanche effect means hashes cannot be compared to measure similarity — two texts that are 99% identical will produce hashes that look entirely unrelated.

SHA-256 is used in: TLS/HTTPS certificates to sign and verify server identity; Bitcoin and most other cryptocurrencies for block hashing and proof-of-work; Git to identify commits, blobs, and trees (switching from SHA-1 to SHA-256); code signing for software distribution; HMAC-SHA256 for API request authentication; JWT (JSON Web Token) signatures; and software download integrity verification (comparing a distributed sha256sum against the downloaded file).

For detecting accidental corruption (network errors, incomplete downloads, bad storage media), MD5 is sufficient. If the file's MD5 hash matches the one published by the software vendor, the download is very likely intact. However, MD5 does not protect against a malicious actor who has compromised the distribution server and can compute a collision — an attacker can craft a malicious file with the same MD5 as the legitimate file. For security-critical downloads (OS images, security tools), use SHA-256 or SHA-512 which have no known practical collision attacks.

Yes — all hashing runs in the browser. No text or file data leaves your device. SHA family hashes use the browser's native crypto.subtle.digest() API which runs in a separate security context. Files are read using the FileReader API and hashed locally. Safe for hashing proprietary software binaries, confidential documents, personal files, and sensitive configuration data. You can verify by disconnecting from the internet and confirming the tool still generates hashes.