Hash Generator (MD5, SHA-1, SHA-256)

What is a hash function?

A hash function is a deterministic algorithm that maps an input of arbitrary length — a word, a sentence, a file, an entire database dump — to a fixed-length output called a digest or hash. Four properties define a cryptographic hash function: same input always produces the same output; a tiny change to the input produces a completely different output (the avalanche effect); the function is one-way, meaning you cannot reconstruct the input from the digest; and it is collision-resistant, meaning it is computationally hard to find two different inputs that produce the same digest. Developers, security engineers, and system administrators use hash functions daily for file integrity checks, content addressing, digital signatures, deduplication, and cache invalidation. This hash generator online tool computes MD5, SHA-1, SHA-256, SHA-384, and SHA-512 digests instantly in the browser.

Algorithms compared

MD5 — broken for security, still useful elsewhere

MD5 produces a 128-bit digest, typically shown as 32 lowercase hex characters. It was once the default checksum algorithm, but practical collision attacks have been known since 2004 — researchers can craft two different inputs that produce the same MD5 digest in seconds on consumer hardware. This makes the md5 generator unsuitable for any security purpose: do not use MD5 for digital signatures, certificate fingerprints, or password storage. However, for tasks where an adversary is not a concern — file checksums on trusted downloads, cache keys, ETags, log deduplication — MD5 remains fast and universally supported. The key question is always: can an attacker benefit from producing a collision? If yes, use SHA-256.

SHA-1 — deprecated, legacy use only

SHA-1 produces a 160-bit digest. It was the successor to MD5 and dominated TLS certificate signing and Git's object model for over a decade. In 2017, the SHAttered attack demonstrated the first practical SHA-1 collision, costing roughly USD 100,000 in compute. Major browser vendors and certificate authorities stopped accepting SHA-1 certificates before that, and Git is actively transitioning its default hash to SHA-256. The sha1 hash is now legacy: acceptable only for interoperability with systems that cannot be updated, never for new designs. If you are auditing legacy infrastructure and see SHA-1 in use for anything security-relevant, treat it as a finding that needs remediation.

SHA-2 family: SHA-256, SHA-384, SHA-512 — recommended

The SHA-2 family was designed by the NSA and standardized by NIST. There are no practical attacks against any SHA-2 variant as of this writing. SHA-256 produces a 256-bit digest and is the modern default: Git uses it for its new object format, Bitcoin uses it for proof-of-work and transaction IDs, and TLS certificates use it for signing. The sha256 hash is the right choice for virtually all new work. SHA-512 produces a 512-bit digest and is actually faster than SHA-256 on 64-bit hardware because it processes 128-byte blocks rather than 64-byte blocks; it is preferred when throughput on large data matters. SHA-384 is SHA-512 truncated to 384 bits — it is used in some TLS cipher suites and protocol contexts where SHA-512's full output would exceed a size budget. All three are safe; sha256 hash is the sensible default unless you have a specific reason to choose otherwise.

Hash vs password hash — the critical distinction

The algorithms in this tool — MD5, SHA-1, SHA-256, SHA-384, SHA-512 — are general-purpose hash functions. They are designed to be fast. On modern hardware a single GPU can compute billions of SHA-256 digests per second. That speed is an asset for file integrity and content addressing; it is a catastrophic liability for password storage.

Do not use any of these algorithms to store passwords in a database. Storing passwords requires a function that is deliberately slow and uses a per-user random value called a salt to prevent rainbow table attacks. The algorithms designed for this purpose are bcrypt, scrypt, and Argon2. Argon2 is the current OWASP recommendation. Every mainstream backend framework provides a password hashing library that wraps one of these; use it rather than rolling your own. If you find yourself piping user passwords through this hash generator online tool or through a raw SHA-256 call in your code, stop — that code has a security vulnerability.

This tool is for general hashing: verifying file downloads, computing fingerprints for deduplication, generating cache keys, and similar tasks. It is not a password storage tool.

How to use this hash generator

1. Type or paste any text into the input field. All five hash digests compute live as you type — there is no submit button.
2. The results panel shows the MD5, SHA-1, SHA-256, SHA-384, and SHA-512 digests as lowercase hex strings. Each digest updates immediately on every keystroke.
3. Click the Copy button next to any digest to put it on your clipboard. The button label briefly changes to confirm the copy succeeded.
4. Click Clear to wipe the input and all output fields and start fresh.
5. SHA-256, SHA-384, and SHA-512 use the browser's built-in Web Crypto API (crypto.subtle.digest). MD5 uses a small inline implementation. Neither sends any data to a server.

Example

Input text:

hello world

Resulting digests:

MD5     5eb63bbbe01eeed093cb22bb8f5acdc3
SHA-1   2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
SHA-256 b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9
SHA-512 309ecc489c12d6eb4cc40f50c902f2b4d0ed77ee511a7c7a9bcd3ca86d4cd86f989dd35bc5ff499670da34255b45b0cfd830e81f605dcf7dc5542e93ae9cd76f

Notice that even a one-character difference — changing "hello world" to "Hello world" — produces completely different digests across all algorithms. That is the avalanche effect in practice.

Common use cases

• File integrity / download verification — Publishers list a SHA-256 or SHA-512 digest next to a download. After downloading, you hash the file and compare. If the digests match, the file arrived intact and unmodified.
• Git object IDs— Git identifies every commit, tree, and blob by its SHA-1 hash (and SHA-256 in the new format). The hash is the object's address in the repository.
• Cache keys and ETags — HTTP servers often compute an MD5 or SHA-1 of a response body and send it as the ETag header. A browser that already has the resource sends the ETag back; if it still matches the server can respond 304 Not Modified, saving bandwidth. MD5 is fine here — no adversary benefits from a collision.
• Content addressing (IPFS, CAS) — IPFS uses SHA-256 inside a multihash structure to address content. Content-addressable storage systems in general use cryptographic hashes as keys because identical content produces identical addresses, enabling deduplication at the storage layer.
• Data deduplication— Compute a hash for each file or chunk. Two objects with the same hash are almost certainly identical (given SHA-256's collision resistance). Store only one copy.
• Detecting accidental corruption — Checksums catch bit-rot, incomplete transfers, and disk errors. SHA-256 is preferred for long-term archival; MD5 is acceptable when adversarial tampering is not a concern.
• Not for password storage— See the warning section above. Use bcrypt, scrypt, or Argon2 via your framework's password hashing library.

Frequently asked questions

Is my input sent anywhere?

No. All hashing happens entirely in your browser. SHA-256, SHA-384, and SHA-512 use the browser's native Web Crypto API (crypto.subtle.digest), which never touches the network. MD5 runs through a small inline JavaScript implementation. No input text, no digest, and no metadata is transmitted to any server. You can use this hash generator online tool with sensitive text — API keys you want to fingerprint, internal filenames, anything — and it stays local.

Why does empty input still produce a hash?

Hash functions are defined for any byte sequence, including the empty string. The MD5 digest of the empty string is d41d8cd98f00b204e9800998ecf8427e, a value that appears frequently in HTTP caches and application logs as a fingerprint of "nothing". Similarly, the SHA-256 of empty input is e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. This tool shows blank output fields when input is empty as a UX choice — typing anything immediately computes all five digests.

Are hash digests case-sensitive?

Hex digests are case-insensitive by mathematical definition — the characters a–f and A–F represent the same values. In practice, most tools and specifications emit lowercase hex, and this tool follows that convention. When comparing digests, normalize both sides to the same case. A mismatch that disappears after lowercasing both strings is not a real mismatch.

Can I hash a file?

Not yet — this tool hashes text input only. File hashing (reading a binary file via the FileReader API and passing the ArrayBuffer to crypto.subtle.digest) is on the roadmap. For now, you can hash a file's contents from the command line with sha256sum filename on Linux/macOS or Get-FileHash filename -Algorithm SHA256 in PowerShell.

Why is MD5 still in this tool if it's broken?

Because the majority of everyday hashing tasks have no adversary. Computing an MD5 for a cache key, an ETag, or an internal deduplication index is perfectly safe — no attacker benefits from forging a collision in those contexts. Removing MD5 would push users toward worse tools or toward implementing it themselves. The tool includes a clear warning about when not to use MD5; the rest is up to the caller to apply judgment. The presence of SHA-256 and SHA-512 means there is no excuse for using MD5 in a security-sensitive path.

What is the difference between a hash and encryption?

Hashing is one-way: given a digest, you cannot recover the original input (without a brute-force search). The output is always the same fixed size regardless of input length. Encryption is two-way: given the ciphertext and the correct key, you recover the original plaintext exactly. Encryption preserves (or predictably transforms) the length of the data. They solve different problems: hashing for integrity, content addressing, and fingerprinting; encryption for confidentiality when the recipient needs to read the original data. A sha256 hash of a document proves the document has not changed; AES encryption of a document keeps its contents private.

What is a salt and do I need one here?

A salt is a per-user random value concatenated with a password before hashing, so that two users with the same password get different digests. Salts defeat precomputed rainbow tables — an attacker who steals your database cannot look up hashes in a prebuilt table because every hash was computed with a unique salt. You only need salts when storing passwords, and if you are storing passwords you should be using a dedicated password hashing function (bcrypt, scrypt, or Argon2) that handles salting automatically. This tool is not a password storage system, so salts are not applicable here.