Hash Generator (MD5, SHA-1, SHA-256, SHA-512)
Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 digests from any text.
Updated: June 26, 2026
What is a hash function?
A cryptographic hash function takes any input and produces a fixed-length "fingerprint" called a digest. The same input always yields the same digest, but even a one-character change produces a completely different result, and you cannot reverse a digest back to the original input. Hashes are used for verifying file integrity, indexing data, and — combined with proper techniques — storing passwords.
The algorithms here
- MD5 (128-bit) — fast and still common for non-security checksums, but cryptographically broken: attackers can craft collisions. Never use it for signatures or password storage.
- SHA-1 (160-bit) — also broken for collision resistance (the SHAttered attack, 2017). Deprecated for security; fine only for legacy compatibility checks.
- SHA-256 / SHA-384 / SHA-512 — the SHA-2 family, currently recommended. SHA-256 is the default choice for integrity and digital signatures; SHA-512 is faster on 64-bit hardware for large inputs.
Common uses
- Verifying that a downloaded file matches the publisher's checksum.
- Generating a stable cache key or content-addressed identifier.
- Detecting whether two pieces of data are identical without comparing them byte by byte.
- Building the inner primitive for HMAC message authentication.
Hashing is not encryption — and not enough for passwords
A hash is one-way: there is no key and no "unhash" operation. That also means a plain hash is the wrong tool for storing passwords. Because hashing is fast, attackers can try billions of guesses per second against a leaked database. To store passwords you need a slow, salted algorithm such as bcrypt, scrypt or Argon2 — not a bare SHA-256. Use this tool for integrity and checksums, not for hashing user passwords directly.
Why run it in the browser?
Every digest on this page is computed locally with the Web Crypto API (and a built-in MD5 implementation, since Web Crypto omits the broken MD5). Your input never leaves the page, so you can safely hash internal data. For keyed authentication where both integrity and authenticity matter, use our HMAC generator instead.
Frequently asked questions
Which hash algorithm should I use?
For anything security-related, use SHA-256 (or SHA-512). Avoid MD5 and SHA-1 — both are cryptographically broken and only suitable for non-security checksums or legacy compatibility.
Can I reverse a hash to get the original text?
No. Hash functions are one-way by design. So-called 'hash reversers' are just lookup tables of previously computed hashes for common inputs — they don't actually invert the function.
Is SHA-256 good for storing passwords?
Not on its own. Plain SHA-256 is too fast, which helps attackers brute-force leaked hashes. Use a slow, salted password hash like bcrypt, scrypt or Argon2 for credentials.
Why is MD5 still around if it's broken?
MD5 is fast and fine for non-adversarial checksums, like detecting accidental file corruption. It is only broken against deliberate collision attacks, so it lingers in legacy systems.
Integrity & secrets tooling
Teams that depend on integrity checks and credential security often adopt:
- Password manager Generate and store strong, unique credentials so you never need to hash passwords by hand.
- Software supply-chain / signing platform Sign and verify build artifacts with strong hashes so users can confirm downloads are authentic.
Related tools
- HMAC Generator (SHA-1, SHA-256, SHA-512)Compute an HMAC from a message and secret key using SHA-1/256/384/512, as hex or Base64.
- Base64 Encode / DecodeConvert text to Base64 and back, with full Unicode (UTF-8) support.
- JWT Decoder & ValidatorDecode a JWT's header and payload, inspect its claims, and verify an HS256 signature.
- URL Encode / DecodePercent-encode text for safe use in URLs, or decode %xx sequences back.