Hash Generator
Compute MD5 and SHA-* hashes.
- MD5
… - SHA-1
… - SHA-256
… - SHA-384
… - SHA-512
…
About Hash Generator
Local hash generator. SHA-* uses Web Crypto; MD5 uses js-md5.
How to use
- 1Paste your text.
- 2See every common hash computed live.
- 3Copy whichever one you need.
A hash function takes any input and produces a fixed-length fingerprint. The same input always produces the same hash. Different inputs (almost) always produce different hashes. That property powers everything from file integrity checks to digital signatures to password storage. This tool computes MD5, SHA-1, SHA-256, SHA-384, and SHA-512 locally in your browser — none of your input ever leaves the page.
Which hash for which job
MD5 and SHA-1 are broken for security purposes — practical collision attacks exist for both — but remain fine for non-adversarial uses: content-addressing, cache keys, file integrity checksums where you trust the source. SHA-256 is the modern default for general-purpose hashing and what you should reach for unless you have a specific reason not to. SHA-384 and SHA-512 are larger digests (and faster than SHA-256 on 64-bit hardware, since they process larger blocks). For password storage, none of these are appropriate — use Argon2, scrypt, or bcrypt instead, which deliberately slow down hashing to make brute-force attacks impractical.
Why your hashes don't match the CLI
Almost always: a trailing newline. `echo "foo" | sha256sum` hashes the four bytes `foo\n` because `echo` appends a newline. `echo -n "foo" | sha256sum` or `printf "foo" | sha256sum` hashes the three bytes `foo`. Both produce different hashes. This tool hashes exactly what you paste — no implicit newline. If you need to match a CLI output, double-check whether the CLI added a newline or not.
Frequently asked questions
Quick answers to the questions people actually ask about Hash Generator.
When should I use MD5 vs SHA-256 vs SHA-512?
When should I use MD5 vs SHA-256 vs SHA-512?
MD5 is broken for security — collisions can be generated in seconds — but is still fine for non-security uses like file integrity checksums, cache keys, or content addressing. SHA-256 is the modern default for general-purpose hashing. SHA-512 is faster than SHA-256 on 64-bit hardware (it processes 1024-bit blocks instead of 512-bit) and is a reasonable upgrade for larger inputs. None of these should be used directly for password hashing — use Argon2, scrypt, or bcrypt for that.
Is hashing the same as encryption?
Is hashing the same as encryption?
No — and confusing them is a common pitfall. Hashing is one-way: you can't recover the original input from the hash. Encryption is two-way: with the key, the original is recoverable. Passwords get hashed (so a database leak doesn't reveal plaintext). Files get encrypted (so the data is unreadable in transit or at rest).
Why are my hashes different from `openssl` or `shasum`?
Why are my hashes different from `openssl` or `shasum`?
Almost always a trailing newline. When you `echo "foo"` in a shell, you actually pass `foo\n` (with newline) — that hashes differently from the 3-character string `foo`. Use `printf` or `echo -n` to avoid the newline. Encoding also matters: UTF-8 and UTF-16 of the same string produce different hashes.
Does anything leave my browser?
Does anything leave my browser?
No. SHA-1, SHA-256, SHA-384, and SHA-512 use the Web Crypto API's `crypto.subtle.digest()`, which is native browser code. MD5 uses a small JS library (`js-md5`) because the Web Crypto API deliberately doesn't expose MD5. All four run synchronously in your browser. No network calls.
Can I hash a file?
Can I hash a file?
Right now we hash text. File hashing is a planned addition — typically you'd drag in a file and get its SHA-256 to compare against a published checksum. Useful for verifying downloads.
What's HMAC and is it here?
What's HMAC and is it here?
HMAC is keyed hashing — `HMAC-SHA256(secret, message)` — used to verify integrity and authenticity when you and the verifier share a secret. It's commonly used for webhook signatures (GitHub, Stripe) and JWT HS256 signing. Not in this tool yet; we want to be deliberate about anywhere a secret gets pasted into a browser tool.