Hash Generator
Generate MD5, SHA-1, SHA-256 and SHA-512 cryptographic hashes from any text input or file. All hashing runs in your browser using the native Web Crypto API β nothing is sent to a server.
Paste an expected hash below to verify it matches one of the computed values above.
crypto.subtle API. MD5 and SHA-1 are cryptographically broken β avoid them for security purposes.
What is the Hash Generator?
The Hash Generator computes cryptographic hash values β MD5, SHA-1, SHA-256, and SHA-512 β from any text input or file, entirely within your browser. A cryptographic hash function transforms arbitrary data into a fixed-length fingerprint that uniquely represents the input. Even a single character change in the input produces a completely different hash output, making hashes indispensable for detecting data corruption, verifying file integrity, and confirming that a download has not been tampered with.
In DevOps and security engineering, hash functions serve as a fundamental primitive across many workflows. Container image digests in Docker and Kubernetes are SHA-256 hashes. Package managers like npm, pip, and Homebrew use SHA-256 checksums to verify that downloaded packages match what the registry published. Infrastructure-as-code tools use content hashing to detect configuration drift. Understanding which algorithm to use and when is a core skill for anyone working in platform engineering or security.
When to Use This Tool
- Download verification: Hash a downloaded binary or archive and compare it against the SHA-256 checksum published on the software's release page to confirm the file was not corrupted or tampered with.
- Content-addressed identifiers: Generate a SHA-256 hash of a configuration or artifact to create a stable, content-derived identifier that changes automatically whenever the content changes.
- Data integrity spot-checking: Compute the hash of a file before and after a transfer or transformation to confirm that the data survived the operation unchanged.
- Legacy system integration: Generate MD5 or SHA-1 hashes when interfacing with older systems or APIs that require these specific algorithms for their checksum fields.
How It Works
SHA-256 and SHA-512 are computed using the browser's native crypto.subtle.digest() API, which provides hardware-accelerated hashing with no external dependencies. MD5 and SHA-1, which are deprecated for security use but still needed for legacy compatibility, are implemented in pure JavaScript using the reference algorithms from their respective RFCs. File hashing reads the file as an ArrayBuffer using the FileReader API and passes the raw bytes to the same hash functions, so the result matches what command-line tools like sha256sum would produce for the same file.
Frequently Asked Questions
What hash algorithms does this tool support?
This tool supports MD5, SHA-1, SHA-256, and SHA-512. SHA-256 and SHA-512 are computed using the browser's native Web Crypto API (crypto.subtle), which provides fast, hardware-accelerated computation directly in the browser without any server communication. MD5 and SHA-1 are computed using pure JavaScript implementations because the Web Crypto API does not support these deprecated algorithms. All four algorithms run simultaneously when you type or upload a file, so you can compare outputs across algorithms without any extra steps.
Is MD5 still safe to use?
MD5 is considered cryptographically broken and should never be used for security-sensitive purposes such as password hashing, digital signatures, or certificate fingerprinting. Researchers demonstrated practical MD5 collision attacks in 2004, meaning two different inputs can be crafted to produce the same MD5 hash. However, MD5 remains acceptable for non-security use cases like checksums for data corruption detection, cache keys, and de-duplication identifiers where an adversary is not deliberately constructing collisions. For any security-critical application, use SHA-256 or SHA-512, which remain computationally infeasible to attack with current technology.
How do I verify a file's SHA-256 checksum after downloading it?
Use the "Hash a File" button on this page to upload the downloaded file and note the SHA-256 hash shown in the results. Then compare that hash character-by-character against the checksum published on the software's official release page or in its checksums.txt file. If they match exactly, the file is authentic and intact. You can also perform this verification from the command line: on Linux and macOS, run sha256sum filename; on macOS you can alternatively use shasum -a 256 filename; and on Windows PowerShell, use Get-FileHash filename -Algorithm SHA256. A mismatch indicates either file corruption during download or, in a worse case, that the file was replaced with a malicious version.