#️⃣ Security

Hash Generator

Generate MD5, SHA-1, SHA-256 and SHA-512 cryptographic hashes from any text input or file. All hashing runs in your browser using the native Web Crypto API β€” nothing is sent to a server.

πŸ“ Input
πŸ” Hash Results
πŸ”
Enter text or select a file above
βœ… Verify / Compare Hash

Paste an expected hash below to verify it matches one of the computed values above.

Note on MD5 & SHA-1: These are computed using a pure-JS implementation for legacy support. SHA-256 and SHA-512 use the browser's native crypto.subtle API. MD5 and SHA-1 are cryptographically broken β€” avoid them for security purposes.
πŸ“– How to Use This Tool
β–Ό
1
Enter text or drag a file into the input
2
All algorithms (MD5, SHA-1, SHA-256, SHA-512) compute at once
3
Use Compare tab to verify a hash matches
4
Click any hash value to copy it
πŸ“ Examples
SHA-256
Input: hello
Output: 2cf24dba5fb0a...
MD5
Input: password
Output: 5f4dcc3b5aa765d6...

The Problem Hash Generator Solves

Verifying that a file hasn't been corrupted or tampered with requires comparing it against a known-good fingerprint, but computing that fingerprint usually means opening a terminal and remembering which flag your OS's checksum utility wants. The Hash Generator computes cryptographic hash values β€” MD5, SHA-1, SHA-256, and SHA-512 β€” from any text input or file, entirely within your browser, with no installation step. A cryptographic hash function transforms arbitrary data into a fixed-length fingerprint that uniquely represents the input; even a single character change in the input produces a completely different hash output, which is what makes hashes useful for detecting corruption and confirming authenticity.

In DevOps and security engineering, hash functions serve as a fundamental primitive across many workflows. Container image digests in Docker and Kubernetes are SHA-256 hashes. Package managers like npm, pip, and Homebrew use SHA-256 checksums to verify that downloaded packages match what the registry published. Infrastructure-as-code tools use content hashing to detect configuration drift. Understanding which algorithm to use and when is a core skill for anyone working in platform engineering or security.

How It Works Under the Hood

SHA-256 and SHA-512 are computed using the browser's native crypto.subtle.digest() API, which provides hardware-accelerated hashing with no external dependencies. MD5 and SHA-1, which are deprecated for security use but still needed for legacy compatibility, are implemented in pure JavaScript using the reference algorithms from their respective RFCs. File hashing reads the file as an ArrayBuffer using the FileReader API and passes the raw bytes to the same hash functions, so the result matches what command-line tools like sha256sum would produce for the same file.

Real-World Use Cases

Hashing vs HMAC vs Encryption

A plain hash like SHA-256 is a one-way fingerprint with no secret involved β€” anyone can compute the same hash from the same input, which makes it useful for integrity checks but unsuitable for proving who produced the data, since an attacker can simply recompute a matching hash for tampered content. HMAC adds a shared secret key into the hashing process, so only parties who know the secret can produce or verify a valid tag β€” this is the right tool when you need to authenticate a message's origin, such as verifying a webhook actually came from the platform that claims to have sent it, rather than merely checking it for accidental corruption. Encryption is a different primitive entirely: where hashing is one-way and irreversible by design, encryption is reversible and intended to keep data confidential rather than to fingerprint it β€” hashing a password and encrypting a password serve opposite goals, and conflating the two is a common and serious security mistake. For checksum and deduplication use cases like the ones this tool targets, a plain hash is the correct and sufficient choice; reach for HMAC only when authenticity against a specific holder of a secret matters.

Frequently Asked Questions

What hash algorithms does this tool support?

This tool supports MD5, SHA-1, SHA-256, and SHA-512. SHA-256 and SHA-512 are computed using the browser's native Web Crypto API (crypto.subtle), which provides fast, hardware-accelerated computation directly in the browser without any server communication. MD5 and SHA-1 are computed using pure JavaScript implementations because the Web Crypto API does not support these deprecated algorithms. All four algorithms run simultaneously when you type or upload a file, so you can compare outputs across algorithms without any extra steps.

Is MD5 still safe to use?

MD5 is considered cryptographically broken and should never be used for security-sensitive purposes such as password hashing, digital signatures, or certificate fingerprinting. Researchers demonstrated practical MD5 collision attacks in 2004, meaning two different inputs can be crafted to produce the same MD5 hash. However, MD5 remains acceptable for non-security use cases like checksums for data corruption detection, cache keys, and de-duplication identifiers where an adversary is not deliberately constructing collisions. For any security-critical application, use SHA-256 or SHA-512, which remain computationally infeasible to attack with current technology.

How do I verify a file's SHA-256 checksum after downloading it?

Use the "Hash a File" button on this page to upload the downloaded file and note the SHA-256 hash shown in the results. Then compare that hash character-by-character against the checksum published on the software's official release page or in its checksums.txt file. If they match exactly, the file is authentic and intact. You can also perform this verification from the command line: on Linux and macOS, run sha256sum filename; on macOS you can alternatively use shasum -a 256 filename; and on Windows PowerShell, use Get-FileHash filename -Algorithm SHA256. A mismatch indicates either file corruption during download or, in a worse case, that the file was replaced with a malicious version.