Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from any text. Uses the Web Crypto API — 100% client-side.
No data sent to serverRelated Tools
What is a Hash Function?
A cryptographic hash function takes an input (called a "message") of any size and produces a fixed-size output (the "digest" or "hash") that uniquely identifies the input. A good cryptographic hash has four key properties: determinism (same input → same output every time), preimage resistance (given a hash, you cannot find the original input), collision resistance (no two different inputs produce the same hash), and the avalanche effect (changing a single bit in input flips ~50% of output bits).
What hashes are used for
- Data integrity — file checksums, Git commits, blockchain blocks
- Digital signatures — sign the hash, not the whole document
- Password storage — but only with slow hashes (Argon2, bcrypt) plus salt, NOT plain SHA-256
- Hash tables — fast lookup data structures
- Deduplication — identifying duplicate files by content
- Proof-of-work — Bitcoin mining (SHA-256 squared)
Hash vs encryption vs encoding
These three are fundamentally different. Encoding (Base64, URL encoding) is reversible without a key. Encryption (AES, RSA) is reversible with a key. Hashing is one-way — designed to be impossible to reverse, even with infinite compute. Confusing these is the source of many security bugs.
Algorithm Reference
| Algorithm | Output bits | Hex chars | Status | Use for |
|---|---|---|---|---|
| MD5 | 128 | 32 | Broken (1995) | Non-security checksums only |
| SHA-1 | 160 | 40 | Broken (2017) | Legacy Git, deprecated for new use |
| SHA-256 | 256 | 64 | Secure | Default for most uses |
| SHA-512 | 512 | 128 | Secure | Faster than SHA-256 on 64-bit hardware |
| SHA-3 | 224–512 | 56–128 | Secure | Different construction (Keccak), backup if SHA-2 falls |
| BLAKE3 | 256+ | 64+ | Secure | Fastest modern hash; parallel |
Why MD5 and SHA-1 are broken
MD5 had pseudo-collision weaknesses demonstrated in 1995, but the first practical collision attack was published by Wang et al. in 2004 — after which collisions can be produced in seconds on commodity hardware. The famous "Flame" malware (2012) used an MD5 collision to forge Microsoft code-signing certificates. SHA-1 was broken in February 2017 by the SHAttered attack from CWI Amsterdam and Google — the first real PDF collision demonstrated. Both still appear in legacy systems but should never be used for new security work.
For passwords: don't use these
SHA-256 of a password is too fast — billions of guesses per second on a GPU. Use slow, memory-hard password hashing functions instead: Argon2id (current best), scrypt, or bcrypt. These are designed to take ~100ms per hash, slowing brute-force attacks by factors of millions.
FAQ
Which hash algorithm should I use?
For data integrity, file checksums, and digital signatures: SHA-256. For passwords: Argon2id (or bcrypt/scrypt). For Git or legacy compatibility: SHA-1 (Git is migrating to SHA-256). Avoid MD5 and SHA-1 for any new security-critical use.
Can I decrypt a hash?
No. Hash functions are mathematically one-way. You can never "decrypt" a hash. What attackers do is guess — hash candidate inputs and compare against the target hash. That's why slow hashes (Argon2) and large input spaces (long passwords) matter.
Why are my MD5 and SHA-256 of "hello" different from another tool?
Likely a trailing newline. echo "hello" | md5 hashes 6 bytes (hello\n), not 5. Use echo -n "hello" | md5 to suppress the newline. This tool hashes exactly the bytes you typed (no trailing newline).
Does this tool support Unicode?
Yes. Input is UTF-8 encoded before hashing, so Korean, Chinese, emoji, and accented characters all hash deterministically.
What about HMAC?
HMAC is a keyed hash — it combines a secret key with input, producing an authenticated hash. Use HMAC for message authentication and API request signing. This tool currently shows unkeyed hashes; for HMAC, use crypto.subtle.sign("HMAC", key, data) in your code.
What's the difference between hash and checksum?
"Checksum" is the broader term — any short value derived from input to detect changes. CRC32 is a checksum but not cryptographic (collisions are easy). Cryptographic hashes (SHA-256, etc.) are stronger checksums designed to resist deliberate tampering, not just random errors.
⚠️ Reference Only
Output is generated based on your input and is provided for reference. Results may vary depending on your specific use case, edge cases, or environment-specific behavior. We do not guarantee accuracy of conversions, validations, or computed values.
Always verify critical outputs against official documentation or production environments. We are not responsible for any decisions or losses based on these tool results.
📖 Related Guides
JWT Anatomy — Header, Payload, Signature
Understand JWT structure, claims, and signing algorithms. Security best practices.
URL Encoding — When to Use What
encodeURI vs encodeURIComponent vs escape. Query strings, paths, and reserved characters.
Hash Algorithms — MD5, SHA-1, SHA-256, bcrypt
When to use each hash function. Security comparison and password storage best practices.