Generate Hashes
This hash generator produces MD5, SHA-1, SHA-256, and SHA-512 hashes from any text or file. All hashing runs in your browser using the Web Crypto API — nothing is sent to a server.
The Avalanche Effect — Try It
A core property of hash functions is the avalanche effect: changing even one character in the input produces a completely different hash. Compare these two inputs that differ by a single letter:
Input: "hello"
Input: "hallo" (one letter changed)
Every character in the hash changed — even though only one letter was different. This makes it impossible to guess the input by looking at the hash.
Algorithm Comparison
Each hash algorithm produces a different output length and has a different security status:
| Algorithm | Output Length | Hex Characters | Security Status | Use Case |
|---|---|---|---|---|
| MD5 | 128 bits | 32 | Broken | Checksums, cache keys (non-security only) |
| SHA-1 | 160 bits | 40 | Broken | Legacy systems, Git commit IDs |
| SHA-256 | 256 bits | 64 | Secure | Digital signatures, blockchain, SSL, integrity verification |
| SHA-512 | 512 bits | 128 | Secure | High-security applications, faster on 64-bit CPUs |
"Broken" means practical collision attacks exist — two different inputs can be crafted to produce the same hash. SHA-256 and SHA-512 have no known practical attacks.
Common Uses for Hash Functions
🔒 Password Storage
Websites store hashes of passwords, not the passwords themselves. When you log in, your entered password is hashed and compared to the stored hash. Note: for passwords, specialized algorithms like bcrypt or Argon2 are preferred over plain SHA-256.
📦 File Integrity
Software downloads often list a SHA-256 checksum. After downloading, you hash the file locally and compare. If the hashes match, the file was not corrupted or tampered with during transfer.
⛓ Blockchain
Bitcoin and other blockchains use SHA-256 extensively. Each block's hash depends on the previous block, creating a chain where altering any block would change every subsequent hash — making tampering detectable.
🔀 Data Deduplication
Storage systems hash file contents to detect duplicates. If two files produce the same hash, they're (almost certainly) identical, so only one copy needs to be stored.
📝 Version Control
Git uses SHA-1 hashes to identify every commit, tree, and blob. Each commit ID (like a1b2c3d) is a truncated hash of the commit's contents, author, timestamp, and parent commit.
✅ Digital Signatures
When signing a document digitally, the document is first hashed, then the hash is encrypted with a private key. The recipient can verify the signature by decrypting and comparing hashes.
Examples
Standard test vectors you can verify with this tool:
Empty String ""
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA-256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Text: "hello"
MD5:
5d41402abc4b2a76b9719d911017c592
SHA-256:
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
Text: "Hello" (capital H)
MD5:
8b1a9953c4611296a827abf8c47804d7
SHA-256:
185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969
Note: "hello" and "Hello" produce entirely different hashes — hashing is case-sensitive.
Text: "The quick brown fox jumps over the lazy dog"
SHA-256:
d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592
A classic test string used in cryptography examples and documentation.
How Hash Functions Work (Simplified)
- Input padding: The input is padded to a specific block size (e.g., 512 bits for SHA-256). This ensures every input — no matter its length — can be processed in uniform chunks.
- Block processing: The padded message is split into blocks. Each block is processed through multiple rounds of mathematical operations (bitwise operations, modular addition, logical functions).
- Chaining: The output of each block feeds into the processing of the next block. This is why changing any part of the input affects the entire hash.
- Final output: After all blocks are processed, the internal state is output as the hash digest. For SHA-256, this is 256 bits expressed as 64 hexadecimal characters.
The key insight: hash functions are designed to be fast to compute in one direction but practically impossible to reverse. There is no mathematical shortcut to go from a hash back to the original input.
How to Verify a File Checksum
Software publishers often provide a SHA-256 checksum alongside downloads. Verifying the checksum confirms the file was not corrupted or tampered with during transfer.
- Find the expected checksum: Look for a SHA-256 hash on the download page, usually displayed near the download link or in a separate checksums file.
- Hash your downloaded file: Switch to the "File" tab above and select the downloaded file. The tool computes all four hash algorithms.
- Compare: Paste the expected checksum into the verification field. The tool automatically checks it against all generated hashes and tells you if there is a match.
If the hashes match, the file is identical to what the publisher released. If they do not match, the file may have been corrupted during download or altered by a third party — download it again from the official source.
Common Mistakes
- Using MD5 or SHA-1 for security: Both have known collision attacks. Use SHA-256 or SHA-512 for any security-related purpose.
- Hashing passwords with SHA-256 directly: General-purpose hash functions are too fast for password hashing. Use bcrypt, scrypt, or Argon2, which are intentionally slow and include salting. Our bcrypt generator can help.
- Assuming hashing is encryption: Hashing is one-way and cannot be reversed. Encryption is two-way — data can be decrypted with the correct key. They serve different purposes.
- Ignoring case sensitivity: "Hello" and "hello" produce completely different hashes. Ensure your input is exactly what you intend to hash.
- Forgetting trailing whitespace: A string with a trailing space or newline will hash differently than one without. Watch for invisible characters.
Frequently Asked Questions
What is a hash function?
A hash function takes any input — text, a file, or raw data — and produces a fixed-length string of characters called a hash (or digest). The same input always produces the same hash, but even a single-character change in the input creates a completely different hash. Hash functions are one-way: you cannot reverse a hash back to the original input.
What is the difference between MD5, SHA-1, SHA-256, and SHA-512?
They differ in output length and security. MD5 produces a 128-bit (32-character hex) hash but is cryptographically broken. SHA-1 produces a 160-bit (40-character) hash and is also considered insecure. SHA-256 produces a 256-bit (64-character) hash and is the current standard for security applications. SHA-512 produces a 512-bit (128-character) hash with the highest security margin.
Is MD5 still safe to use?
Not for security. Collisions can be generated in seconds on modern hardware. MD5 is acceptable for non-security uses like detecting accidental file corruption, generating cache keys, or creating non-critical checksums. Never use MD5 for passwords, certificates, or digital signatures.
Which hash algorithm should I use?
For most purposes, use SHA-256. It is the current standard for digital signatures, blockchain, SSL certificates, and data integrity verification. Use SHA-512 when you need a wider security margin or are on 64-bit systems where SHA-512 can be faster. For password storage specifically, use bcrypt, scrypt, or Argon2 instead.
Can you reverse a hash back to the original text?
No. Hash functions are mathematically one-way. However, attackers can use precomputed tables (rainbow tables) or brute-force to find inputs that match a known hash. This is why passwords should use specialized algorithms with salting (random data added before hashing) to defeat precomputation attacks.
What is a hash collision?
A collision occurs when two different inputs produce the same hash output. Since hash functions map infinite inputs to a fixed-length output, collisions theoretically must exist. A hash function's security depends on how hard it is to find collisions intentionally. MD5 and SHA-1 have practical collision attacks; SHA-256 and SHA-512 do not.
Why do small changes produce completely different hashes?
This property is called the avalanche effect. A well-designed hash function ensures that changing even one bit of input changes roughly half of the output bits. This makes it impossible to learn anything about the input by examining the hash, which is essential for security.
What are hashes used for?
Common uses include: verifying file integrity (comparing checksums), password storage (storing hashes instead of plaintext), digital signatures, blockchain and cryptocurrency, data deduplication, cache keys, and commit identifiers in Git.
Why is SHA-256 used in Bitcoin?
Bitcoin uses SHA-256 for its proof-of-work mining and transaction identifiers. SHA-256 has no known practical attacks, produces consistent output, and the avalanche effect ensures miners cannot predict outputs without doing the computation. Each block's hash depends on the previous block, creating a tamper-resistant chain.
Is hashing the same as encryption?
No. Hashing is one-way — you cannot recover the original data from a hash. Encryption is two-way — encrypted data can be decrypted with the correct key. Use hashing when you need to verify data (passwords, checksums). Use encryption when you need to protect data but later retrieve it (messages, files).
How do I verify a file checksum online?
Switch to the "File" tab above, select your downloaded file, and compare the generated hash with the checksum provided by the software publisher. If they match exactly, the file was not corrupted or tampered with during download. The entire process runs in your browser — the file is never uploaded to any server.
Can I hash a file without uploading it to a server?
Yes. This tool uses the browser's FileReader API and Web Crypto API to hash files entirely on your device. The file is read into local memory, hashed using JavaScript, and the result is displayed in the browser. No data leaves your machine. This works for any file type your browser can load into memory.
Does this tool store or transmit my data?
No. All hashing happens entirely in your browser using JavaScript and the Web Crypto API. Your text and files are never sent to any server. You can verify this by disconnecting from the internet — the tool continues to work.
Related Tools
- SHA-256 Generator — focused SHA-256 hashing tool
- Bcrypt Generator — generate bcrypt password hashes with configurable cost factor
- Password Generator — create strong random passwords
- UUID Generator — generate unique identifiers
- Base64 Encoder/Decoder — encode and decode Base64 strings
- Text to Binary Converter — convert text to binary and vice versa
- Random String Generator — generate random alphanumeric strings
Privacy & Limitations
- Client-side only. No data is sent to any server. No cookies, no tracking. Text and files are processed entirely in your browser.
- File size limit. File hashing is limited by your browser's available memory. Most modern browsers handle files up to several hundred megabytes. For very large files (multi-GB), command-line tools like
sha256sum(Linux/macOS) orcertutil -hashfile(Windows) are more reliable. - Character encoding: Text is encoded as UTF-8 before hashing. The hash of a string depends on its encoding — the same characters in a different encoding will produce a different hash.
- MD5 for files: MD5 hashing of files uses a JavaScript implementation that may be slow for very large files. SHA-256 and SHA-512 use the native Web Crypto API and are significantly faster.
Related Tools
View all toolsBig-O Notation Visualizer
Interactive plot of O(1) through O(n!) complexity curves with operation count comparison
JSON Formatter
Format and beautify JSON with proper indentation
JSON Validator
Validate JSON syntax and show errors
CSV to JSON Converter
Convert CSV data to JSON format with auto-detection
JSON to CSV Converter
Convert JSON arrays to CSV format with nested object handling
JWT Decoder
Decode JWT tokens and display header and payload
Hash Generator FAQ
What is a hash function?
A hash function takes any input (text, file, data) and produces a fixed-length string of characters called a hash or digest. The same input always produces the same hash, but even a tiny change in the input creates a completely different hash. Hash functions are one-way — you cannot reverse a hash back to the original input.
What is the difference between MD5, SHA-1, SHA-256, and SHA-512?
They differ in output length and security. MD5 produces a 128-bit (32-character) hash but is cryptographically broken. SHA-1 produces a 160-bit (40-character) hash and is also considered insecure. SHA-256 produces a 256-bit (64-character) hash and is widely used for security applications. SHA-512 produces a 512-bit (128-character) hash and offers the highest security margin of the four.
Is MD5 still safe to use?
MD5 is not safe for security purposes. Collisions (two different inputs producing the same hash) can be generated in seconds on modern hardware. MD5 is still acceptable for non-security uses like checksums for file integrity (detecting accidental corruption) or cache keys, but should never be used for passwords, certificates, or digital signatures.
Which hash algorithm should I use?
For most purposes, use SHA-256. It is the current standard for digital signatures, blockchain, SSL certificates, and data integrity verification. Use SHA-512 when you need a larger security margin or are working on 64-bit systems where SHA-512 can actually be faster. Avoid MD5 and SHA-1 for anything security-related.
Can you reverse a hash back to the original text?
No. Hash functions are designed to be one-way. You cannot mathematically reverse a hash to recover the original input. However, attackers can use precomputed tables (rainbow tables) or brute-force attempts to find inputs that produce a known hash. This is why passwords should be hashed with specialized algorithms like bcrypt that include salting and are intentionally slow.
What is a hash collision?
A hash collision occurs when two different inputs produce the same hash output. Since hash functions map infinite possible inputs to a fixed-length output, collisions must theoretically exist. The security of a hash function depends on how hard it is to find collisions intentionally. MD5 and SHA-1 have known practical collision attacks; SHA-256 and SHA-512 do not.
Why do small changes in input produce completely different hashes?
This property is called the avalanche effect. A good hash function is designed so that changing even one bit of input changes roughly half of the output bits. This makes it impossible to predict how a hash will change based on input changes, which is essential for security applications.
What are hashes used for?
Common uses include: verifying file integrity (comparing checksums after download), password storage (storing hashes instead of plaintext passwords), digital signatures, blockchain and cryptocurrency, data deduplication, cache keys, and commit identifiers in version control systems like Git.
How do I verify a file checksum online?
Upload the file to a client-side hash generator (like this one) and compare the resulting hash with the expected checksum provided by the software publisher. If the hashes match exactly, the file was not corrupted or tampered with during download. The entire process runs in your browser — the file is never uploaded to a server.
Can I hash a file online without uploading it to a server?
Yes. This tool uses the browser's Web Crypto API and FileReader API to hash files entirely on your device. The file is read into memory locally, hashed using JavaScript, and the result is displayed — no data leaves your browser. This works for any file type and size that your browser can handle in memory.
Does this hash generator store or transmit my text?
No. All hashing happens entirely in your browser using JavaScript and the Web Crypto API. Your text and files are never sent to any server. You can verify this by disconnecting from the internet after the page loads — the tool will continue to work.
Why is SHA-256 used in Bitcoin and blockchain?
Bitcoin uses SHA-256 for its proof-of-work mining algorithm and for creating transaction identifiers. SHA-256 was chosen because it has no known practical attacks, produces a consistent 256-bit output, and the avalanche effect ensures that miners cannot predict outputs without doing the computation. Each block's hash depends on the previous block's hash, creating the tamper-resistant chain.