Hash generator (MD5, SHA-1, SHA-256)
Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 digests from text — live, in your browser.
Runs 100% in your browserHow to generate a hash
- Type or paste text. Enter the text you want to hash.
- Read the digests. MD5, SHA-1, SHA-256, SHA-384 and SHA-512 update live.
- Copy a hash. Click Copy next to the algorithm you need.
What a hash function does
A cryptographic hash takes any input — a word, a paragraph, a whole file — and produces a fixed-size fingerprint called a digest. SHA-256 always returns 64 hex characters whether you feed it one letter or a gigabyte. Three properties make it useful: it is deterministic (the same input always gives the same digest), it is fast to compute but practically impossible to reverse, and a tiny change to the input — flipping a single bit — produces a completely different-looking output (the "avalanche effect"). Together these let a short string stand in as a reliable proxy for a much larger piece of data.
Integrity, not secrecy
The classic use is verifying that data arrived intact. When a download lists a SHA-256 checksum, you hash the file you received and compare: if the digests match, the bytes are identical; if not, the file is corrupt or tampered with. The same idea underpins content-addressing (a Git commit ID is a hash of its contents) and digital signatures (you sign the hash, not the whole document). What hashing does not do is keep data secret. Because it is deterministic, anyone can hash a guess and check it against your digest — so for low-entropy inputs like a password or an email address, a hash is readable to anyone willing to try the obvious candidates.
Choosing an algorithm — and what's broken
For anything that an attacker might try to fool, use SHA-256 or stronger. MD5 and SHA-1 are broken: it is now feasible to construct two different inputs that share the same digest (a collision), which defeats signatures and tamper-evidence — SHA-1 collisions have been demonstrated in the real world. They are kept here because they are still everywhere as non-adversarial checksums and in legacy systems, where speed matters and nobody is actively attacking the hash. The longer SHA-384 and SHA-512 add margin and can be faster on 64-bit hardware, but SHA-256 is the sensible default.
Why these are the wrong tool for passwords
It is tempting to "secure" a password by storing its SHA-256, but general-purpose hashes are designed to
be fast, and fast is exactly wrong here — a stolen database of SHA-256 password hashes can be
attacked at billions of guesses per second. Passwords need a deliberately slow, salted
password-hashing function (bcrypt, scrypt or Argon2) that makes each guess expensive and adds a unique
salt so identical passwords don't share a digest. Use this tool for checksums, fingerprints and
verification; reach for a real password-hashing library when you store credentials. To generate strong
secrets in the first place, see the
password generator;
to encode rather than hash data, the
Base64 tool is the
reversible counterpart. Writing your own? Our guide to
hashing a string with SHA-256 in JavaScript
walks through the Web Crypto digest call and the hex conversion.
Frequently asked questions
- MD5, SHA-1, SHA-256, SHA-384 and SHA-512. The SHA functions use the browser's built-in Web Crypto API; MD5 uses a small bundled implementation, since Web Crypto deliberately does not provide the broken MD5.
- No. All hashing runs locally in your browser. Your input is never sent to a server, which is enforced by a strict content-security policy.
- No. MD5 and SHA-1 are cryptographically broken — researchers can produce two different inputs with the same hash (a collision) on ordinary hardware — so they must not be used for signatures, certificates or tamper protection against an attacker. They remain fine for non-adversarial checksums and legacy interoperability. Use SHA-256 or stronger for anything security-sensitive.
- No — hashing is one-way by design. But "can't reverse" is not the same as "secret": for short or common inputs an attacker just hashes every candidate and compares (a rainbow-table or dictionary attack). That is why a bare hash is not a safe way to hide a password.
- Because SHA-256 is fast — an attacker can try billions of guesses per second against a stolen hash. Passwords need a deliberately slow, salted password-hashing function such as bcrypt, scrypt or Argon2, which are tuned to be expensive per guess. General-purpose hashes like the ones here are the wrong tool for storing passwords.
- Verifying file integrity (the checksum next to a download), deduplicating or indexing data, content-addressing (Git commit IDs are SHA hashes), digital signatures, and — via a proper password-hashing function — storing password verifiers. The common thread is turning data into a short, comparable fingerprint.