Hash Generator
Generate MD5, SHA-1, and SHA-256 hashes instantly. Free online hash generator using Web Crypto API.
Cryptographic hash functions are fundamental tools in computing. They take input data of any length and produce a fixed-length output called a hash, digest, or checksum. The output looks like a random string of hexadecimal characters. Two key properties make hashes useful: the same input always produces the same hash, and it is computationally infeasible to find two different inputs that produce the same hash (collision resistance).
This tool generates hashes using three widely used algorithms. MD5 produces a 128-bit (32-character) hash and is fast but no longer considered secure for cryptographic purposes. SHA-1 produces a 160-bit (40-character) hash and is similarly deprecated for security use but common in legacy systems. SHA-256 is part of the SHA-2 family, produces a 256-bit (64-character) hash, and is the current standard for secure applications.
Common applications of hash functions include verifying file integrity (comparing the hash of a downloaded file against the publisher's listed checksum), storing password fingerprints in databases (always use bcrypt or Argon2 for passwords, not raw SHA-256), generating unique identifiers from content (content-addressable storage), digital signatures, and commit IDs in version control systems like Git.
SHA-1 and SHA-256 hashes are computed using the browser's native Web Crypto API, which is implemented in optimized C++ and highly reliable. MD5 uses the crypto-js library. All computation happens locally in your browser — your input is never transmitted anywhere.
Which algorithm should I use?
- MD5 — fast, 128-bit, cryptographically broken. Fine for non-security checksums (file integrity during a download, cache keys, quick fingerprinting). Never use for signatures, passwords, or anything an adversary might try to forge.
- SHA-1 — 160-bit, deprecated. Still used by Git for commit IDs, but modern systems have moved to SHA-256. Avoid for new work.
- SHA-256 — 256-bit, part of SHA-2, the current mainstream secure hash. Used by TLS certificates, Bitcoin, code signing, and most file-integrity workflows. The correct default.
Do not hash passwords with these
Passwords need a slow, memory-hard hash with a per-user salt — bcrypt, scrypt, Argon2, or PBKDF2 with a large iteration count. A plain SHA-256 of a password can be brute-forced at billions of guesses per second on a GPU. Every time a data breach exposes "hashed passwords", the question is which hash; sites that used SHA-256 directly had their password corpus cracked within days. Use a password-hashing library; do not roll your own.
Checksums vs signatures
A checksum tells you whether a file has changed. A signature tells you who produced it. If you download an installer from a mirror and verify it against a SHA-256 published on the project's HTTPS site, you have confirmed integrity — but only if the published checksum itself is authentic. For stronger guarantees, projects publish a cryptographic signature (GPG, Sigstore, minisign) that binds the hash to a specific signing identity.
Hashing in the browser
The Web Crypto API (crypto.subtle.digest) handles SHA-family hashes natively. It does not include MD5, which is why this tool uses crypto-js for that one algorithm. All computation happens on your device; nothing is uploaded. For files of more than a few megabytes, the browser chunks the input and streams it through the hash function.