Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text. All hashing runs in your browser — nothing is sent to any server.
Generate Cryptographic Hashes
Hash Verification
Paste an expected hash below to verify it matches the generated hash above.
What Is a Hash Function?
A cryptographic hash function takes an input of any size (a password, a file, an entire database) and produces a fixed-size output called a "hash" or "digest." The same input always produces the same hash, but even a tiny change in the input — flipping a single bit — produces a completely different hash. This property makes hash functions essential for data integrity verification, password storage, digital signatures, and blockchain technology.
Hash functions are one-way by design: given a hash output, it should be computationally infeasible to reverse-engineer the original input. This is different from encryption, which is designed to be reversible with the correct key.
Hash Algorithms Compared
| Algorithm | Output Size | Security Status | Speed | Recommended For |
|---|---|---|---|---|
| MD5 | 128-bit (32 hex chars) | Broken — collisions found | Very fast | Non-security checksums only |
| SHA-1 | 160-bit (40 hex chars) | Broken — collisions demonstrated in 2017 | Fast | Legacy systems only (Git still uses it) |
| SHA-256 | 256-bit (64 hex chars) | Secure — industry standard | Moderate | TLS certificates, Bitcoin, code signing, general use |
| SHA-384 | 384-bit (96 hex chars) | Secure | Moderate | High-security contexts, government systems |
| SHA-512 | 512-bit (128 hex chars) | Secure | Fast on 64-bit CPUs | Large file integrity, highest security needs |
| SHA-3 | Variable (224–512 bits) | Secure — different design from SHA-2 | Moderate | Future-proofing, defence-in-depth alongside SHA-2 |
How Hash Functions Work
Hash functions process input data through a series of mathematical transformations. SHA-256, for example, breaks the input into 512-bit blocks, then applies 64 rounds of bitwise operations (AND, OR, XOR, rotation, modular addition) using different constants for each round. The result is a 256-bit hash that is extremely sensitive to input changes — this property is called the avalanche effect.
To illustrate the avalanche effect: the SHA-256 hash of "hello" is 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824, while the hash of "Hello" (capital H) is 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969 — a completely different string, despite only one character changing.
Common Uses for Hash Functions
- File Integrity Verification: When you download software, the publisher provides a SHA-256 hash. After downloading, you compute the hash of your file and compare it — if they match, the file was not corrupted or tampered with during transfer.
- Password Storage: Storing passwords in plain text is a critical security failure. Instead, store the hash of the password. When a user logs in, hash their input and compare it to the stored hash. Use bcrypt, Argon2, or scrypt — NOT MD5 or SHA-256 — for password hashing, because general-purpose hash functions are too fast (attackers can try billions of guesses per second).
- Digital Signatures: To sign a document, first compute its hash, then encrypt the hash with your private key. The recipient decrypts with your public key and compares the hash — this proves both authenticity (it came from you) and integrity (it was not modified).
- Data Deduplication: Cloud storage services hash each uploaded file. If the hash already exists in the system, the file is a duplicate and does not need to be stored again — saving enormous amounts of storage space.
- Blockchain: Every block in a blockchain contains the hash of the previous block, creating a tamper-evident chain. Bitcoin uses double SHA-256, while Ethereum uses Keccak-256 (a SHA-3 variant).
- Cache Keys: Web applications hash request parameters to generate cache keys. If the same combination of parameters is requested again, the cached response is served instead of recomputing it.
Hash Functions vs Encryption — Key Differences
| Property | Hashing | Encryption |
|---|---|---|
| Direction | One-way (irreversible) | Two-way (reversible with key) |
| Output Size | Fixed (e.g., 256 bits) | Proportional to input |
| Key Required | No | Yes |
| Purpose | Verify integrity | Protect confidentiality |
Why MD5 and SHA-1 Are Broken
A hash function is considered "broken" when someone can find two different inputs that produce the same hash output (a collision). MD5 collisions can be generated in seconds on a modern laptop. In 2017, Google demonstrated the first practical SHA-1 collision (the "SHAttered" attack), requiring 6,500 years of CPU time and 110 years of GPU time — expensive but feasible for well-funded attackers. As a result, certificate authorities stopped issuing SHA-1 TLS certificates, and browsers reject them. For any new project, use SHA-256 or SHA-3.
Frequently Asked Questions — Hash Generator
These are all cryptographic hash functions but differ in security and output size. MD5 produces a 128-bit (32-char hex) hash — fast but cryptographically broken (collision attacks are practical). SHA-1 produces 160-bit output — also broken for collision resistance. SHA-256 (part of SHA-2) produces 256-bit output and is currently secure. SHA-512 produces 512-bit output — more secure and faster on 64-bit CPUs than SHA-256. For security use, always prefer SHA-256 or SHA-512.
No — hashing is a one-way function by design. You cannot mathematically reverse a hash to get the original input. However, weak or common passwords can be "cracked" by pre-computed rainbow tables or brute-force lookups (hash the guess, compare to the target). This is why password hashing should use slow, salted algorithms like bcrypt, scrypt, or Argon2 — not MD5 or SHA-256.
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to produce a message authentication code. Unlike a plain hash, HMAC verifies both integrity (data wasn't changed) and authenticity (only someone with the key could have created it). Use HMAC for API request signing, webhook verification, and secure tokens — not plain hashing.
Common uses: (1) Password storage — store the hash, not the plaintext password. (2) File integrity — verify a downloaded file wasn't tampered with by comparing its hash to the publisher's listed hash. (3) Digital signatures — sign the hash of a document. (4) Data deduplication — identify identical files by their hash. (5) Blockchain — each block contains the hash of the previous block, creating a tamper-evident chain.
Hash functions are deterministic — the same input always produces the same output. This property is essential for verification: to check if two files are identical, you can compare their hashes without comparing the full content. The avalanche effect means even a single character change completely transforms the output hash, making it easy to detect any modification.