Input Text

Generated Hashes Live

Start typing to see live hash generation...

Hash Generator - MD5, SHA-1, SHA-256, SHA-512 Online Tool

Generate cryptographic hashes instantly from any text. Free, browser-based hash calculator supporting MD5, SHA-1, SHA-256, SHA-384, SHA-512, CRC32, Adler32, and FNV-1a. No data leaves your device.

What Is a Hash Function? Complete Guide to Cryptographic Hashing

A cryptographic hash function is a mathematical algorithm that takes an input of any length and produces a fixed-size output called a hash, digest, or checksum. The same input always produces the same hash, but even a single character change in the input produces a completely different hash - a property called the avalanche effect.

Hash functions are one-way functions: it is computationally infeasible to reverse a hash to recover the original input. This property distinguishes hashing from encryption (which is reversible with a key) and from encoding like Base64 (which is trivially reversible). Hash functions are a foundational building block of information security, used in digital signatures, data integrity verification, password storage, blockchain, and API authentication.

Our free online hash generator computes MD5, SHA-1, SHA-256, SHA-384, SHA-512, CRC32, Adler32, and FNV-1a hashes entirely in your browser using the Web Crypto API - no server calls, no data leakage, completely private.

How to Use This Online Hash Generator

This tool is designed for speed and simplicity. Here is how to generate a hash in seconds:

  1. Enable Live Preview to generate hashes automatically as you type (recommended).
  2. Type or paste your text into the left input panel. Accepts any text including JSON, passwords, file contents, API keys, and Unicode.
  3. Select your desired hash algorithm from the dropdown (SHA-256 is recommended for most use cases).
  4. The hash updates live in the right panel - or click Generate if Live Preview is off.
  5. Click All to generate all 8 hash algorithms at once for comparison.
  6. Use the Copy button next to each hash to copy it to your clipboard.
  7. Drag the center divider to resize the input/output panels to your preference.

Hash Algorithms Explained: MD5, SHA-256, SHA-512 and More

MD5 - 128-bit (32 hex chars)

Developed by Ronald Rivest in 1991, MD5 was the dominant hash algorithm for most of the 1990s and 2000s. It produces a 128-bit (32 hexadecimal character) output. MD5 is cryptographically broken - collision attacks have been demonstrated, meaning two different inputs can produce the same MD5 hash. It should not be used for security-sensitive applications like password hashing or digital signatures. MD5 remains useful for non-cryptographic purposes like file checksums, deduplication keys, and cache invalidation where collision resistance is not critical.

SHA-1 - 160-bit (40 hex chars)

SHA-1 (Secure Hash Algorithm 1) was designed by the NSA and published by NIST in 1995. It produces a 160-bit (40 hex character) digest. SHA-1 was officially broken in 2017 when Google's SHAttered attack demonstrated a practical collision. SHA-1 should not be used for any security purpose. Major browsers and certificate authorities have deprecated SHA-1 for TLS certificates. It persists in legacy systems, Git object storage, and some older protocols, but should be migrated to SHA-256 or stronger.

SHA-256 - 256-bit (64 hex chars) ✓ Recommended

SHA-256 is part of the SHA-2 family designed by the NSA and published by NIST in 2001. It produces a 256-bit (64 hex character) digest and is currently considered cryptographically secure with no known practical attacks. SHA-256 is the most widely deployed cryptographic hash function today, used in TLS/HTTPS certificates, Bitcoin mining (double SHA-256), JWT HMAC-SHA256 signing, code signing, Subresource Integrity (SRI) in browsers, npm package-lock.json integrity fields, and AWS Signature Version 4. For any new development, SHA-256 is the recommended default.

SHA-512 - 512-bit (128 hex chars)

SHA-512 is the strongest member of the SHA-2 family. It produces a 512-bit (128 hex character) digest. While SHA-256 is sufficient for the vast majority of use cases, SHA-512 provides a higher security margin for applications requiring maximum cryptographic strength. SHA-512 is actually faster than SHA-256 on 64-bit processors because it uses 64-bit word operations. It is used in applications requiring long-term security guarantees, high-security digital signatures, and HMAC-SHA512 for API authentication.

SHA-384 - 384-bit (96 hex chars)

SHA-384 is a truncated version of SHA-512, producing a 384-bit (96 hex character) output. It provides a middle ground between SHA-256 and SHA-512 in terms of output size and security margin. SHA-384 is used in some TLS cipher suites and certificate types requiring larger digest sizes without the full overhead of SHA-512. It is part of FIPS 180-4 and is approved for use in U.S. federal government cryptography applications.

CRC32 - 32-bit checksum (8 hex chars)

CRC32 (Cyclic Redundancy Check) is not a cryptographic hash - it is a checksum algorithm designed for error detection in digital networks and storage. It produces a 32-bit (8 hex character) output and is extremely fast. CRC32 is used in ZIP file compression, PNG image format, Ethernet and other network protocols, and zlib compression. It is not suitable for any security purpose because collisions can be engineered intentionally. Use CRC32 only for accidental error detection.

Adler32 - 32-bit checksum

Adler32 is a checksum algorithm developed by Mark Adler as part of the zlib compression library. It is faster but slightly less reliable than CRC32 for detecting errors. Adler32 is used in the zlib format (gzip, deflate compression) and the PNG image standard. Like CRC32, it is not cryptographically secure and should only be used for non-security checksum purposes.

FNV-1a - 32-bit non-cryptographic hash

FNV-1a (Fowler–Noll–Vo) is a popular non-cryptographic hash function known for its speed and good distribution properties. It is widely used in hash tables, databases, programming language runtimes, and data structures where speed matters more than collision resistance. FNV-1a is not suitable for security applications. Our implementation uses the 32-bit variant.

Real-World Use Cases for Hash Functions

File Integrity Verification

Software downloads are accompanied by SHA-256 checksums so users can verify the downloaded file has not been tampered with or corrupted. Compute the SHA-256 hash of your downloaded file and compare it to the official checksum. If they match, the file is authentic. This is how package managers (npm, pip, apt) verify package integrity.

API Webhook Signatures (HMAC)

Services like GitHub, Stripe, and Shopify sign webhook payloads using HMAC-SHA256 (Hash-based Message Authentication Code). The server computes the HMAC of the request body using a shared secret and sends it in a header. Your server recomputes the HMAC and compares - matching means the payload is authentic and unmodified.

Subresource Integrity (SRI)

When loading scripts or stylesheets from a CDN, add an integrity attribute containing the SHA-256 or SHA-384 hash of the file: integrity="sha256-abc...". Browsers verify the resource matches before executing it, preventing CDN compromise attacks. Generate SRI hashes using this tool.

Content Deduplication

Hash file contents to generate unique fingerprints. Two files with identical SHA-256 hashes are byte-for-byte identical (with extremely high probability). This is how Git identifies commits and blobs, how cloud storage systems detect duplicate uploads, and how CDNs generate cache keys.

Data Fingerprinting and ETags

HTTP ETags use hashes of resource content to enable conditional requests. When content changes, the hash changes, and the browser knows to fetch a fresh copy. Hash-based ETags are also used for cache invalidation in CDNs, API versioning, and optimistic concurrency control in databases.

Password Hashing (Properly)

Plain SHA-256 is not suitable for password storage because it is too fast - attackers can compute billions of SHA-256 hashes per second to crack passwords via rainbow tables or brute force. For passwords, use slow adaptive hash functions: Argon2id (modern best practice), bcrypt, or scrypt, all of which include a random salt and adjustable work factor to resist attacks.

Hashing vs Encryption vs Encoding - Key Differences

PropertyHashingEncryptionEncoding (Base64)
Reversible?NoYes (with key)Yes (trivially)
Requires key?NoYesNo
Fixed output size?YesVariable~33% larger
PurposeIntegrityConfidentialityCompatibility
SecurityHigh (SHA-256+)High (AES-256)None
ExamplesSHA-256, bcryptAES-GCM, RSABase64, URL enc

Code Examples: Generate SHA-256 and MD5 Hashes

JavaScript (Browser - Web Crypto API)

async function sha256(text) {
  const encoder = new TextEncoder();
  const data = encoder.encode(text);
  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
  return Array.from(new Uint8Array(hashBuffer))
    .map(b => b.toString(16).padStart(2, "0"))
    .join("");
}

const hash = await sha256("Hello, World!");
// a591a6d40bf420404a011733cfb7b190...

Python - hashlib

import hashlib

# SHA-256
sha256_hash = hashlib.sha256(
  "Hello, World!".encode("utf-8")
).hexdigest()

# MD5 (not for security)
md5_hash = hashlib.md5(
  "Hello, World!".encode("utf-8")
).hexdigest()

Node.js - crypto module

const crypto = require("crypto");

const sha256 = crypto
  .createHash("sha256")
  .update("Hello, World!", "utf8")
  .digest("hex");

const md5 = crypto
  .createHash("md5")
  .update("Hello, World!", "utf8")
  .digest("hex");

PHP

// SHA-256
$sha256 = hash("sha256", "Hello, World!");

// MD5
$md5 = md5("Hello, World!");

// SHA-512
$sha512 = hash("sha512", "Hello, World!");

Frequently Asked Questions About Hash Generation

What is the best hash algorithm to use in 2026?

For most applications, SHA-256 is the recommended default - it is secure, widely supported, and fast. For password storage, use Argon2id or bcrypt (not raw SHA-256). For file integrity and SRI, SHA-256 or SHA-384 are standard. For maximum security margin, use SHA-512. Never use MD5 or SHA-1 for new security applications.

Can a hash be reversed or cracked?

Cryptographic hash functions are one-way - you cannot mathematically reverse a hash to recover the original input. However, common strings may appear in precomputed rainbow tables. For example, the MD5 hash of "password" is well-known and indexed. This is why password storage must use unique per-user salts combined with slow hash functions (bcrypt, Argon2id) that make precomputed table attacks infeasible.

Why does the same text always produce the same hash?

Hash functions are deterministic - identical inputs always produce identical outputs. This is by design: it enables you to verify data integrity by recomputing the hash and comparing. The SHA-256 hash of "Hello, World!" will always be a591a6d40bf420404a011733cfb7b190... on any computer, in any programming language, at any time.

What is a hash collision?

A collision occurs when two different inputs produce the same hash output. For MD5 and SHA-1, collisions have been demonstrated with practical attacks (Flame malware used an MD5 collision in 2012; Google's SHAttered demonstrated a SHA-1 collision in 2017). SHA-256 has no known practical collisions - the 2^128 operations required for a collision are computationally infeasible with current and foreseeable technology.

How do I verify a file download using SHA-256?

After downloading a file, compute its SHA-256 hash and compare it to the official checksum provided by the publisher. On Linux/macOS: sha256sum filename or shasum -a 256 filename. On Windows PowerShell: Get-FileHash filename -Algorithm SHA256. If the hashes match exactly, the file is authentic and uncorrupted.

Is my data secure when using this hash tool?

Yes. All hashing is performed entirely in your browser using the Web Crypto API. No text is transmitted to any server. You can confirm this by opening browser DevTools and monitoring the Network tab while using the tool - zero requests are made. This makes it safe to hash sensitive strings like API keys, passwords, and private data.

What is HMAC and how does it differ from a plain hash?

HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to produce an authentication code. Unlike a plain hash that verifies data integrity, HMAC also proves authenticity - only someone with the secret key can produce the correct HMAC. HMAC-SHA256 is used in API authentication (AWS Signature V4, Stripe webhook verification), JWT signing (HS256), and TLS handshakes.