Skip to content
snip tools

Hash generator (MD5, SHA-1, SHA-256)

Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 digests from text — live, in your browser.

Runs 100% in your browser

How to generate a hash

  1. Type or paste text. Enter the text you want to hash.
  2. Read the digests. MD5, SHA-1, SHA-256, SHA-384 and SHA-512 update live.
  3. Copy a hash. Click Copy next to the algorithm you need.

What a hash function does

A cryptographic hash takes any input — a word, a paragraph, a whole file — and produces a fixed-size fingerprint called a digest. SHA-256 always returns 64 hex characters whether you feed it one letter or a gigabyte. Three properties make it useful: it is deterministic (the same input always gives the same digest), it is fast to compute but practically impossible to reverse, and a tiny change to the input — flipping a single bit — produces a completely different-looking output (the "avalanche effect"). Together these let a short string stand in as a reliable proxy for a much larger piece of data.

Integrity, not secrecy

The classic use is verifying that data arrived intact. When a download lists a SHA-256 checksum, you hash the file you received and compare: if the digests match, the bytes are identical; if not, the file is corrupt or tampered with. The same idea underpins content-addressing (a Git commit ID is a hash of its contents) and digital signatures (you sign the hash, not the whole document). What hashing does not do is keep data secret. Because it is deterministic, anyone can hash a guess and check it against your digest — so for low-entropy inputs like a password or an email address, a hash is readable to anyone willing to try the obvious candidates.

Choosing an algorithm — and what's broken

For anything that an attacker might try to fool, use SHA-256 or stronger. MD5 and SHA-1 are broken: it is now feasible to construct two different inputs that share the same digest (a collision), which defeats signatures and tamper-evidence — SHA-1 collisions have been demonstrated in the real world. They are kept here because they are still everywhere as non-adversarial checksums and in legacy systems, where speed matters and nobody is actively attacking the hash. The longer SHA-384 and SHA-512 add margin and can be faster on 64-bit hardware, but SHA-256 is the sensible default.

Why these are the wrong tool for passwords

It is tempting to "secure" a password by storing its SHA-256, but general-purpose hashes are designed to be fast, and fast is exactly wrong here — a stolen database of SHA-256 password hashes can be attacked at billions of guesses per second. Passwords need a deliberately slow, salted password-hashing function (bcrypt, scrypt or Argon2) that makes each guess expensive and adds a unique salt so identical passwords don't share a digest. Use this tool for checksums, fingerprints and verification; reach for a real password-hashing library when you store credentials. To generate strong secrets in the first place, see the password generator; to encode rather than hash data, the Base64 tool is the reversible counterpart. Writing your own? Our guide to hashing a string with SHA-256 in JavaScript walks through the Web Crypto digest call and the hex conversion.

Frequently asked questions

Which hash algorithms are supported?
MD5, SHA-1, SHA-256, SHA-384 and SHA-512. The SHA functions use the browser's built-in Web Crypto API; MD5 uses a small bundled implementation, since Web Crypto deliberately does not provide the broken MD5.
Is my text uploaded to compute the hash?
No. All hashing runs locally in your browser. Your input is never sent to a server, which is enforced by a strict content-security policy.
Should I use MD5 or SHA-1 for security?
No. MD5 and SHA-1 are cryptographically broken — researchers can produce two different inputs with the same hash (a collision) on ordinary hardware — so they must not be used for signatures, certificates or tamper protection against an attacker. They remain fine for non-adversarial checksums and legacy interoperability. Use SHA-256 or stronger for anything security-sensitive.
Can I get the original text back from a hash?
No — hashing is one-way by design. But "can't reverse" is not the same as "secret": for short or common inputs an attacker just hashes every candidate and compares (a rainbow-table or dictionary attack). That is why a bare hash is not a safe way to hide a password.
Why shouldn't I store passwords as a plain SHA-256?
Because SHA-256 is fast — an attacker can try billions of guesses per second against a stolen hash. Passwords need a deliberately slow, salted password-hashing function such as bcrypt, scrypt or Argon2, which are tuned to be expensive per guess. General-purpose hashes like the ones here are the wrong tool for storing passwords.
What is a hash actually used for?
Verifying file integrity (the checksum next to a download), deduplicating or indexing data, content-addressing (Git commit IDs are SHA hashes), digital signatures, and — via a proper password-hashing function — storing password verifiers. The common thread is turning data into a short, comparable fingerprint.