Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from text or files. Hex and base64 output. Compare against an expected value. Everything runs in your browser.
input0 chars
// how to use
Hash anything in three steps.
- 01Provide your input.Type or paste any text into the input box, or use the “file” button to hash an entire file. The five hashes are computed in parallel as you type.
- 02Pick the encoding.Hex is the default — what you see in most checksums and command-line tools. Toggle to base64 for APIs that expect that format (it's also more compact).
- 03Verify or copy.Click any hash to copy it. Or expand “verify against expected hash” and paste a hash you want to compare — the tool will tell you which algorithm it matches, if any.
// background
What is a hash, and which one should you use?
A hash function takes any input — a single character or a multi-gigabyte file — and produces a fixed-size output (the “digest”) that uniquely represents that input. A good hash function has three properties: it's deterministic (same input → same output), it's fast, and it's collision-resistant (extremely hard to find two inputs that produce the same digest).
That last property is what separates the algorithms below. Older ones (MD5, SHA-1) had collision attacks discovered and are no longer safe for security. Newer ones (SHA-256, SHA-512) remain trusted for cryptographic use.
The five algorithms
MD5128 bitsBroken since 2004. Use only for non-security checksums.SHA-1160 bitsBroken since 2017. Same restriction as MD5.SHA-256256 bitsCurrent default for most security uses (TLS, signing, blockchains).SHA-384384 bitsTruncated SHA-512. Used in TLS 1.2/1.3 cipher suites.SHA-512512 bitsStrongest of the SHA-2 family. Slower on 32-bit CPUs.Common use cases
- →Verifying file integrity after download (compare with the publisher's checksum)
- →Generating ETags or cache keys for HTTP responses
- →Deduplicating data — same hash means same content
- →Content-addressed storage (Git, IPFS, Docker layers)
- →Digital signatures (sign the hash, not the whole document)
- →Block hashes in blockchains and merkle trees
What hashes are not for
- ×Password storage — use bcrypt, scrypt, or argon2 instead
- ×Encryption — hashes are one-way; you can't 'unhash' anything
- ×Hiding sensitive data — anyone with the same input can reproduce the hash
- ×Generating keys for symmetric encryption — use a proper KDF (HKDF, PBKDF2)
// faq
Frequently asked questions.
Why is MD5 still in the list if it's broken?+
MD5 is cryptographically broken — meaning it should never be used for password storage, digital signatures, or anything where collision resistance matters. But it's still widely used for non-security checksums: verifying file integrity after download, deduplication, ETags, and legacy systems. We include it because most people who need a hash generator are working with non-security use cases.
Which hash should I use for password storage?+
None of these. SHA-256/SHA-512 are too fast for password hashing, which makes them vulnerable to brute-force attacks. Use a purpose-built password hashing function like bcrypt, scrypt, or argon2. These are designed to be slow and memory-intensive on purpose.
What's the difference between hex and base64 encoding?+
The hash itself is a sequence of bytes. Hex encoding represents each byte as two hex characters (0-9, a-f), so a 32-byte SHA-256 hash becomes 64 characters. Base64 encoding is more compact (44 characters for the same hash) but uses a wider alphabet. Use whichever your downstream tool expects — most file checksums use hex; some APIs prefer base64.
Can I hash a file without uploading it anywhere?+
Yes — and that's how this tool works. When you select a file, it's read into your browser's memory using the FileReader API and hashed locally. Nothing is sent to any server. You can verify in your browser's network tab that no requests are made when you compute a hash.
What's the maximum file size I can hash?+
Browser memory is the limit. Files up to several hundred megabytes work on modern hardware. Beyond that, the browser may run out of memory or become unresponsive. For very large files, command-line tools like sha256sum, openssl dgst, or md5sum are more appropriate.
Why do my MD5 and SHA-1 hashes match what older tools produce?+
Hash algorithms are deterministic and standardized — given the same input bytes, every correct implementation produces the same output. If you hash 'Hello, World!' with MD5 anywhere, you'll always get 65a8e27d8879283831b664bd8b7f0ad4. Verifying this match across tools is itself a quick way to catch bugs.
// related