Hash Generator
GeneratorsGenerate MD5, SHA-1, SHA-256, SHA-512 hashes for text and files. Free, private — all processing in your browser.
The Hash Generator computes cryptographic hashes (also called message digests, checksums, or fingerprints) for any text, file, or binary data using industry-standard algorithms: MD5, SHA-1, SHA-256, SHA-384, SHA-512, SHA-3 (Keccak), and more. Hashes are one-way functions — they produce a fixed-length output from any input, and you cannot recover the input from the hash. Use them for verifying file integrity, checking downloads, generating cache keys, fingerprinting content, detecting duplicates, or as building blocks for digital signatures and HMAC authentication.
This hash generator runs entirely in your browser using the Web Crypto API (crypto.subtle.digest) — the same battle-tested cryptographic library used by TLS, modern secure messaging apps, and the operating systems they run on. Your text and files never leave your device. Hash a simple string in microseconds, or drag-and-drop a multi-gigabyte file and get its checksum without waiting for an upload. Compare computed hashes against expected values (e.g., from a Linux distro's official signatures) to verify downloads have not been tampered with or corrupted in transit.
Hash Generator — key features
7+ hash algorithms
Generate MD5, SHA-1, SHA-256, SHA-384, SHA-512, SHA-3 (224, 256, 384, 512) hashes from any input. Select one or compute all at once.
Text and file hashing
Type or paste text to hash, or drag and drop any file — images, documents, archives, binaries — to get its checksum.
Hex or Base64 output
Get the hash as hex digits (the default) or Base64 (for compact storage or direct use in HTTP headers like Integrity).
Compare hashes
Paste an expected hash and the tool tells you if it matches — useful for verifying downloaded files against official checksums.
Bulk hashing
Hash multiple strings at once, one per line. Each gets its own hash in the output.
Web Crypto API backend
Uses native browser cryptography (crypto.subtle.digest), the same code that powers HTTPS. Fast, secure, and audited.
Handles large files
Stream files in chunks instead of loading everything at once. Multi-gigabyte files hash without crashing your tab.
100% client-side, private
Hashing happens in your browser. No uploads, no logging. Safe for sensitive files and confidential content.
How to use the Hash Generator
- 1
Choose text or file mode
Select Text tab to hash a string, or File tab to hash an uploaded file.
- 2
Paste your input
Type or paste the string, or drag and drop a file from your computer.
- 3
Select algorithm(s)
Pick MD5, SHA-1, SHA-256, or others. You can compute all at once to compare.
- 4
Choose output format
Hex (default) for readability and compatibility, Base64 for compact storage in HTTP headers or JSON.
- 5
Copy the result
The hash appears instantly. Click Copy to put it on your clipboard or Download to save as a file.
- 6
Compare against expected hash (optional)
Paste a known hash (e.g., from a software publisher's signature page) and the tool confirms match or mismatch.
Common use cases for the Hash Generator
File integrity
- →Verify downloaded software: Linux distros, open-source projects, and vendor sites publish SHA-256 checksums for their downloads. Hash the file after downloading and compare to detect corrupted or tampered files.
- →Detect file changes: Store hashes of important files and periodically re-hash to detect unauthorized modifications (e.g., Tripwire, AIDE).
- →Deduplicate storage: If two files have the same SHA-256 hash, they are the same file — use this to avoid storing duplicates in cloud storage systems.
- →Bit-rot detection: Hash archival files on write, re-hash periodically. Mismatches indicate silent disk corruption.
Content fingerprinting and caching
- →Cache keys: Use a hash of the input as a cache key — same input produces same key, no need for complex lookup logic.
- →Content-addressable storage: Git, IPFS, and Docker all identify objects by content hash. Same content → same ID.
- →Asset URLs with hashes: Web build tools (Webpack, Vite) append file content hashes to asset names so caches invalidate automatically when files change.
- →ETags for HTTP caching: Send the SHA-256 hash of a response as the ETag header. Clients send If-None-Match on subsequent requests; the server can return 304 Not Modified.
Security applications
- →Password hashing (with bcrypt/argon2): Never use plain SHA for passwords — use bcrypt, argon2, or scrypt. These are hash functions designed to be slow to resist brute force.
- →Digital signatures: RSA, ECDSA, Ed25519 sign a hash of the message, not the message itself. SHA-256 or SHA-384 is typical.
- →HMAC authentication: Combine SHA-256 with a secret key for message authentication codes (webhook signatures, API auth). Use our [HMAC Generator](https://tooleras.com/tools/hmac-generator).
- →Certificate fingerprints: SSL/TLS certificates are identified by SHA-256 or SHA-1 fingerprints. Verify certificate authenticity by comparing fingerprints.
Blockchain and Bitcoin
- →Bitcoin mining: Bitcoin uses double SHA-256 for block hashing. Miners compute billions of hashes per second looking for one below the target.
- →Blockchain addresses: Bitcoin addresses are derived from SHA-256 + RIPEMD-160 of the public key. Ethereum uses Keccak-256.
- →NFT content identification: NFTs reference media by content hash (IPFS) so the asset cannot be silently swapped.
Hash Generator — examples
MD5 of short text
Fast, 32-character output. Good for non-security checksums.
Hello, World!
MD5: 65a8e27d8879283831b664bd8b7f0ad4
SHA-256 of a sentence
The default modern hash — 64 characters of hex.
The quick brown fox jumps over the lazy dog
SHA-256: d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592
SHA-512 (longer hash)
128 hex characters — for high-security applications.
password123
SHA-512: ba3253876aed6bc22d4a6ff53d8406c6ad864195ed144ab5c87621b6c233b548baeae6956df346ec8c17f5ea10f35ee3cbc514797ed7ddd3145464e2a0bab413
Empty string hashes
Known sentinel values — every hash function produces a specific output for empty input.
(empty string)
MD5: d41d8cd98f00b204e9800998ecf8427e SHA-1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA-256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
File checksum verification
Verify downloaded file integrity.
Downloaded ubuntu-24.04-live-server-amd64.iso Hash the file with SHA-256 Expected: e240e4b801f7bb68c20d1356b60968ad0c33a41d00d828e74ceb3364a0317be9
Computed hash matches expected — file is genuine
SHA-256 in Base64
Compact Base64 encoding (44 chars instead of 64 hex).
Hash: SHA-256 of "Tooleras" Format: Base64
SHA-256: tXn2pR8vK9/d2Z+QGq3mEQXnBw4nzKlpoXZAgJ5DXdI=
Technical details
A cryptographic hash function takes an arbitrary input and produces a fixed-size output (the hash, digest, or fingerprint) with three key properties:
1. Deterministic — same input always produces the same hash.
2. One-way — cannot reverse the hash to recover the input.
3. Collision-resistant — computationally infeasible to find two inputs that produce the same hash.
Algorithms supported:
| Algorithm | Output size | Status | Use case |
|---|---|---|---|
| MD5 | 128 bits (32 hex) | Broken — not cryptographically secure | Legacy checksums, non-security use only |
| SHA-1 | 160 bits (40 hex) | Broken — collisions demonstrated (2017) | Git (transitioning), legacy systems only |
| SHA-256 | 256 bits (64 hex) | Secure, widely used | Default choice for new systems |
| SHA-384 | 384 bits (96 hex) | Secure | Higher security, TLS 1.3 |
| SHA-512 | 512 bits (128 hex) | Secure, fast on 64-bit | Password hashing, high-security contexts |
| SHA-3 (Keccak) | Variable (224-512 bits) | Secure, modern | Post-quantum preparation |
MD5 and SHA-1 are broken — researchers have produced meaningful collisions, meaning it is possible to construct two different inputs with the same hash. Never use them for digital signatures, certificate pinning, password storage, or any security-critical purpose. They remain acceptable for non-security use (file deduplication, cache keys, non-cryptographic checksums).
Output format: Hashes are raw binary data, usually displayed as hexadecimal (for readability and URL safety) or Base64 (for compact storage). A SHA-256 hash is 32 bytes — 64 hex characters or 44 Base64 characters.
For password hashing, do not use plain SHA: Passwords should use bcrypt, argon2, or scrypt — algorithms specifically designed to be slow and memory-hard, resistant to GPU brute-force attacks. Plain SHA-256 of a password is far too fast (~1 billion/sec on a modern GPU) to be secure. Use our bcrypt generator for passwords.
Common problems and solutions
⚠Using MD5 or SHA-1 for security
MD5 (2004) and SHA-1 (2017) are broken — attackers can construct collisions. Never use them for digital signatures, certificate pinning, or anything where an adversary might forge collisions. Use SHA-256 or better for anything security-sensitive.
⚠Using plain hash for password storage
SHA-256 is fast — a single GPU can compute billions of SHA-256 hashes per second. Attackers with a leaked hash database can try every 8-character password in minutes. Use bcrypt, argon2, or scrypt — algorithms specifically designed to be slow and memory-hard.
⚠Not using salt for password hashes
Even with bcrypt, every password must use a unique salt (random data added before hashing) to prevent rainbow table attacks. Modern password hash libraries generate salt automatically — use them, do not roll your own.
⚠Comparing hashes with == in a time-sensitive context
String equality often short-circuits, leaking timing information that can reveal the hash to an attacker. Use constant-time comparison (e.g., `crypto.timingSafeEqual` in Node.js) for secrets like HMAC signatures or session tokens.
⚠Truncating hashes
Truncating a SHA-256 to 8 characters is not a secure hash — collision probability rises dramatically. If you need a short identifier, use 16+ hex characters (64 bits) minimum, and test for collisions at scale.
⚠Confusing hash with encryption
Hashing is one-way — you cannot recover the input from the hash. Encryption is reversible with a key. Do not hash data you need to retrieve; encrypt it instead. Do not use encryption for integrity checks; use HMAC or a digital signature.
⚠Assuming same-hash means same-file
For SHA-256, collision is astronomically unlikely for random content — but possible for maliciously crafted inputs. If you rely on hash-based identity for security-critical decisions, use at least SHA-256 (not MD5 or SHA-1) and consider combining with additional checks.
⚠Hashing giant files by loading into memory
A 10 GB file loaded as a string will crash the browser. Hash files in chunks using the File.slice() API and chained crypto.subtle.digest calls, or use WebCrypto streaming if available.
Hash Generator — comparisons and alternatives
MD5 vs SHA-1 vs SHA-256: MD5 and SHA-1 are both broken — do not use for security. SHA-256 is the modern default, secure and fast. SHA-512 is slightly more secure and often faster on 64-bit CPUs because of its 64-bit operations. Always prefer SHA-256 for new code.
SHA-2 family (SHA-256, SHA-512) vs SHA-3 (Keccak): SHA-2 is the current standard — fast, widely supported, no known attacks. SHA-3 is the newer standard selected by NIST in 2015, built on different mathematical foundations (sponge construction). Both are secure; SHA-2 is more performant and more common. SHA-3 is being deployed where diversification matters (e.g., not relying on any single algorithm being secure).
SHA-256 vs BLAKE2 vs BLAKE3: BLAKE2 and BLAKE3 are modern hash functions optimized for speed — BLAKE3 is ~5x faster than SHA-256 on modern CPUs with SIMD. Used by content-addressable storage systems (BLAKE3 is the hash function in ArrayFire, Cloudflare, and some newer VCS). SHA-256 remains the standard for interoperability; BLAKE3 wins on performance-critical applications.
Hash vs CRC32: CRC32 is a non-cryptographic checksum — fast (~10 GB/s), 32-bit output, good for detecting random bit errors (disk corruption, network flips), useless against intentional tampering. Hash functions are slower but cryptographically secure. Use CRC for disk/network integrity, SHA for security.
Hash vs HMAC: A hash is deterministic — same input → same output, no key needed. HMAC combines a hash with a secret key for message authentication — same input + different key → different output. Use HMAC when you need to verify that data came from a specific sender (webhook signatures, API authentication). Use our HMAC Generator for HMAC-SHA256 and related.
Hashing passwords vs other data: Different algorithms for different purposes. Use bcrypt / argon2 / scrypt for passwords — deliberately slow. Use SHA-256 for data integrity, file fingerprints, cache keys — fast. Use HMAC-SHA256 for API signatures and webhook verification.
Frequently asked questions about the Hash Generator
▶What is a hash function?
A hash function is a mathematical algorithm that takes arbitrary input and produces a fixed-length output (the hash). The function is deterministic (same input always produces the same hash) and one-way (you cannot recover the input from the hash). Cryptographic hash functions (SHA-256, SHA-512) are also collision-resistant — it is computationally infeasible to find two inputs with the same hash.
▶Which hash algorithm should I use?
Use SHA-256 as the default for new code. It is secure, fast, widely supported, and produces a compact 256-bit fingerprint. Use SHA-512 if you need higher security or your platform prefers 64-bit operations. Never use MD5 or SHA-1 for security — they are broken. For password hashing, use bcrypt or argon2 instead of plain SHA.
▶Is MD5 secure?
No. MD5 is cryptographically broken — researchers can construct two different inputs that produce the same MD5 hash (collision attack, demonstrated in 2004). Do not use MD5 for digital signatures, certificate pinning, HMAC, password hashing, or anywhere an attacker might try to forge a match. MD5 remains acceptable for non-security use like file deduplication or cache keys.
▶Is it safe to hash sensitive data with this tool?
Yes. All hashing happens in your browser using the Web Crypto API (crypto.subtle.digest). Your input is never uploaded to any server. You can safely hash passwords (to generate bcrypt-equivalent output via bcrypt tool), tokens, private files, and confidential documents. Open DevTools Network tab to verify zero outbound requests.
▶Can I hash large files?
Yes. The tool reads files in chunks using the File API, so file size is limited only by your browser memory. Multi-gigabyte files hash successfully. On slower computers, very large files may take several seconds — progress is shown.
▶How do I verify a downloaded file?
(1) Download the file. (2) Find the official hash (usually SHA-256 or SHA-512) on the publisher's website — e.g., Ubuntu publishes SHA256SUMS next to each ISO. (3) Drop the file into this tool and compute the same hash algorithm. (4) Compare — they should match exactly. If they do not match, the file is corrupted or tampered — do not use it.
▶Should I use hashing for password storage?
Not plain hashing. Use a password hashing function designed for passwords: bcrypt, argon2, or scrypt. These are slow (by design) and memory-hard, making brute force attacks impractical. Plain SHA-256 is far too fast — an attacker with a leaked database can try billions of passwords per second. Use our bcrypt generator for password hashing.
▶What is the difference between hash and checksum?
In casual use, they are the same thing. Technically, checksum often refers to simple error-detection codes like CRC32 — fast but not cryptographically secure. Hash typically refers to cryptographic hash functions like SHA-256 — designed to resist deliberate tampering. Use cryptographic hashes for security, checksums for simple error detection.
▶What is the difference between hex and Base64 hash output?
A hash is raw bytes. Hex encoding represents each byte as 2 hex characters (SHA-256 = 64 hex chars). Base64 encoding is more compact (SHA-256 = 44 Base64 chars). Functionally identical — same hash, different display. Hex is standard for human reading and HTTP headers; Base64 is used in JSON responses, cache ETags, and SRI (Subresource Integrity) attributes.
▶Are hashes unique?
For cryptographic hashes like SHA-256, collisions are astronomically unlikely but theoretically possible (2^128 operations to find one by chance — more than the age of the universe). For practical purposes, treat SHA-256 hashes as unique identifiers. For MD5 and SHA-1, collisions have been demonstrated — do not rely on their uniqueness for security.
Additional resources
- NIST FIPS 180-4 — Secure Hash Standard — Official NIST specification for SHA-1, SHA-256, SHA-384, SHA-512.
- NIST FIPS 202 — SHA-3 Standard — Keccak-based SHA-3 family of hash functions.
- MDN — SubtleCrypto.digest() — Web Crypto API documentation for the hash function this tool uses.
- SHAttered — first SHA-1 collision — 2017 research demonstrating practical SHA-1 collisions — why SHA-1 is broken.
- Understanding Hash Functions — Tooleras blog — Our deep-dive tutorial on cryptographic hashing.
Related tools
All GeneratorsBase64 Encoder/Decoder
Encode and decode Base64 strings, files, and images instantly
Bcrypt Hash Generator
Hash passwords with bcrypt and verify existing hashes — configurable rounds
HMAC Generator
Generate HMAC signatures (SHA-256, SHA-512) for API auth and webhook verification
JWT Decoder
Decode and inspect JSON Web Token (JWT) headers, payloads, and signatures
JWT Generator
Create signed JSON Web Tokens (JWT) with custom claims — HS256, RS256, ES256
Password Generator
Generate strong, cryptographically secure random passwords
Learn more
Explore more tools
200+ free tools that run in your browser.
Browse all tools →