Hash Generator
Generate SHA-1, SHA-256, and SHA-512 cryptographic hashes instantly. Your data never leaves your browser.
What is a Cryptographic Hash Function?
A cryptographic hash function takes an input of any size and produces a fixed-length output called a hash, digest, or checksum. The same input always produces the same hash, but even a single character change completely transforms the output — a property called the avalanche effect.
Hash functions are one-way: given a hash, it's computationally infeasible to recover the original input. This makes them ideal for verifying data integrity without storing the original data.
All hashing in this tool happens locally in your browser using the Web Crypto API. Your input is never sent to any server.
How to Use This Tool
- Type or paste any text into the input field.
- Click Generate Hashes to compute SHA-1, SHA-256, and SHA-512 simultaneously.
- Click the copy icon next to any hash to copy it to your clipboard.
Hash Algorithms Compared
- SHA-1 (160-bit / 40 hex chars) — Legacy algorithm. Broken for collision resistance since 2017. Avoid for security-critical uses, but still used in git commit IDs.
- SHA-256 (256-bit / 64 hex chars) — Part of the SHA-2 family. The industry standard for most security applications, used in TLS certificates, Bitcoin, and code signing.
- SHA-512 (512-bit / 128 hex chars) — Larger output, theoretically stronger. Faster than SHA-256 on 64-bit systems. Used when maximum security margin is required.
Common Use Cases
- File Integrity Verification — Hash a downloaded file and compare to the publisher's checksum to detect tampering or corruption
- Password Storage — Databases store hashed passwords (with salt) instead of plaintext so breaches don't expose real passwords
- Digital Signatures — Sign the hash of a document rather than the document itself — faster and standardized
- Data Deduplication — Detect duplicate files by comparing hashes instead of byte-by-byte comparison
- API Request Signing — HMAC (Hash-based Message Authentication Code) uses a secret key + hash to authenticate API requests
Frequently Asked Questions
Not mathematically. Hash functions are designed to be one-way — there's no algorithm to reverse them. However, weak or common inputs (like simple passwords) can be found using precomputed rainbow tables or dictionary attacks. This is why passwords must be hashed with a unique salt for each user.
MD5 produces a 128-bit hash and is considered cryptographically broken — collisions (two different inputs producing the same hash) can be found quickly. SHA-256 produces a 256-bit hash and is currently considered secure. MD5 is still used for non-security checksums (like verifying file downloads where tampering isn't a concern), but should never be used for passwords or digital signatures.
Not for security-critical applications. In 2017, Google demonstrated the first SHA-1 collision (SHAttered attack). Major browsers and certificate authorities stopped accepting SHA-1 certificates. It's still used in non-security contexts like git object IDs, but you should use SHA-256 or better for anything security-related.
Secure password hashing algorithms (like bcrypt, scrypt, Argon2) add a unique random value called a salt before hashing. This means the same password produces a different hash every time it's stored. This is intentional — it defeats precomputed rainbow table attacks. This tool computes plain SHA hashes without salting, so it's not suitable for password storage.
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key:
HMAC = Hash(key + message). Unlike a plain hash, HMAC can verify both the data integrity AND the identity of the sender (since only someone with the key can produce the same HMAC). It's widely used in API authentication (AWS Signature, webhooks) and JWT token verification.