Hash Generator
md5 · sha-1 · sha-256 · sha-512
$ how-to-use
Enter text and select a hash algorithm (MD5, SHA-1, SHA-256, SHA-512). The hash is generated instantly. Click to copy the hash value.
What is Hashing?
A hash function takes any input and produces a fixed-length string of characters. The same input always produces the same hash, but even a tiny change in input produces a completely different hash. This makes hashes ideal for verifying data integrity.
Hashing is one-way — you cannot reverse a hash back to the original input. This is different from encryption, which is designed to be reversible with the right key. Hashes are used for password storage, file integrity checks, digital signatures, and data deduplication.
Hash Algorithms
MD5 (128-bit)
Fast but cryptographically broken. Still used for checksums and non-security purposes like cache keys and file deduplication.
SHA-1 (160-bit)
Deprecated for security use since 2017. Still seen in legacy systems and Git commit hashes (Git is transitioning to SHA-256).
SHA-256 (256-bit)
The current standard. Used in SSL/TLS, Bitcoin, code signing, and most modern security applications. Strong and widely supported.
SHA-512 (512-bit)
Longer output for higher security margin. Actually faster than SHA-256 on 64-bit processors. Used when extra collision resistance is needed.
Algorithm Comparison Table
| Algorithm | Output | Hex Length | Security | Speed | Use Cases |
|---|---|---|---|---|---|
| MD5 | 128 bits | 32 chars | Broken | Fastest | Checksums, cache keys, dedup |
| SHA-1 | 160 bits | 40 chars | Deprecated | Fast | Git commits (legacy), HMAC |
| SHA-256 | 256 bits | 64 chars | Strong | Moderate | TLS, code signing, blockchain |
| SHA-512 | 512 bits | 128 chars | Strongest | Fast on 64-bit | High-security, large data |
Practical Hashing Guide
Choosing the right hash algorithm depends on your use case. Here's a practical decision guide for common scenarios developers encounter.
File Integrity Verification
Use SHA-256. When distributing software, provide SHA-256 checksums so users can verify downloads haven't been tampered with. MD5 is still used for this but is vulnerable to collision attacks — an attacker could create a malicious file with the same MD5 hash. SHA-256 makes this computationally infeasible.
Password Storage
Never use raw SHA-256 for passwords. General-purpose hash functions are designed to be fast, which means attackers can try billions of guesses per second. Use dedicated password hashing functions: Argon2id (modern standard), bcrypt (widely supported), or scrypt (memory-hard). These are intentionally slow and include salt automatically.
Cache Keys & Deduplication
Use MD5 or SHA-1. For non-security purposes like generating cache keys from request parameters, detecting duplicate files, or content addressing, MD5's speed advantage matters and its cryptographic weaknesses are irrelevant. The chance of accidental collision is astronomically low.
API Authentication (HMAC)
Use HMAC-SHA256. HMAC (Hash-based Message Authentication Code) combines a secret key with a hash function to verify both data integrity and authenticity. HMAC-SHA256 is the standard for webhook signatures (GitHub, Stripe, Slack), API authentication, and JWT signing.
Content Addressing
Use SHA-256. Content-addressable storage (used in Git, Docker, IPFS, and npm) identifies files by their hash. This guarantees that the same content always produces the same address, enables deduplication, and makes it impossible to tamper with stored content without changing the address.
The Avalanche Effect
A key property of cryptographic hash functions is the avalanche effect: changing a single bit of input produces a completely different hash output. There's no way to predict how the output will change, and similar inputs don't produce similar hashes. This is what makes hashes useful for integrity verification — even the smallest modification is immediately detectable.
Try it yourself: hash "hello" and "Hello" (capital H) above. Despite differing by only one bit in the ASCII representation, the SHA-256 hashes will be completely different with no discernible pattern. This property is formally called "strict avalanche criterion" — each output bit has a 50% probability of changing when any single input bit is flipped.
FAQ
Can I reverse a hash?
No. Hash functions are one-way by design. You can't compute the original input from a hash. Rainbow table attacks exist for weak passwords, but properly salted hashes are infeasible to reverse.
Which algorithm should I use?
SHA-256 for security purposes. MD5 only for non-security checksums (file integrity, cache keys). Never use MD5 or SHA-1 for passwords or security.
Is my data private?
Yes. All hashing runs in your browser using the Web Crypto API. No data leaves your device.