Hash Generator

Generate MD5, SHA-256, SHA-384, and SHA-512 hashes from any text. All hashing runs locally — nothing leaves your browser.

About Hash Generator

A cryptographic hash function takes any input and produces a fixed-length string (the hash or digest) that acts as a unique fingerprint for that input. Even a single character change produces a completely different hash. This tool computes MD5, SHA-256, SHA-384, and SHA-512 hashes entirely in your browser — nothing is ever sent to a server.

Hash algorithm comparison

  • MD5 (128-bit) — Fast, but cryptographically broken since 2004. Safe for non-security uses like file checksums or cache keys, but never use it for passwords or signatures.
  • SHA-256 (256-bit) — Part of the SHA-2 family. The most widely deployed hash algorithm. Used in TLS certificates, code signing, Git commits, and Bitcoin proof-of-work.
  • SHA-384 (384-bit) — A truncated variant of SHA-512. Used in TLS 1.2/1.3 cipher suites and Subresource Integrity (SRI) tags in HTML.
  • SHA-512 (512-bit) — The strongest SHA-2 variant. Preferred for high-security applications, password hashing pipelines (as a pre-hash step), and long-term integrity verification.

SHA hashes use the browser's built-in Web Crypto API. MD5 is computed with a pure JavaScript implementation.

About the Hash Generator

A cryptographic hash function takes an input of any length and produces a fixed-size output (the hash, digest, or fingerprint) such that even a tiny change in the input produces a completely different output, and recovering the original input from the hash is computationally infeasible. Hashes are the workhorses of modern security: they verify file integrity, anchor digital signatures, store passwords safely (when combined with a slow KDF), index data in content-addressed storage, and form the basis of blockchains.

This tool computes MD5, SHA-1, SHA-256, SHA-384, and SHA-512 digests of any text input, using the browser's built-in SubtleCrypto API for SHA family hashes. All computation happens locally — your input never leaves your device.

Which hash should I use?

For new cryptographic uses, prefer SHA-256 or SHA-512. SHA-1 is broken for collision resistance (Google demonstrated a real-world SHA-1 collision in 2017) and should not be used in new security-critical work, though it remains acceptable for non-security uses like Git object IDs. MD5 is broken even more thoroughly and should not be used in any security context. MD5 and SHA-1 still see legitimate non-security use: file checksums where the only adversary is bit rot, ETag generation, or non-cryptographic hash-table keys.

Hashing passwords

You should not store passwords as plain SHA-256 hashes either. Modern attackers can compute billions of SHA-256 hashes per second on GPUs, so a leaked database of unsalted SHA-256 password hashes is trivially cracked. For passwords, use a slow, salted KDF designed for the purpose: bcrypt, scrypt, argon2id, or PBKDF2 with a high iteration count. Those are not available in this in-browser tool, by design — they require server-side configuration tuned to a known cost target.

How to use the Hash Generator

  1. Type or paste your input

    Drop any text into the input box. The hash recomputes as you type.

  2. See every digest at once

    MD5, SHA-1, SHA-256, SHA-384, and SHA-512 are all shown simultaneously with copy buttons.

  3. Compare against an expected hash

    Paste the expected hash beside the computed one to confirm a file or message integrity check by eye.

Worked examples

Example 1

Input: (empty string)

Result: SHA-256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

The hash of an empty string is the well-known constant above — useful for sanity-checking implementations.

Example 2

Input: hello

Result: SHA-256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Small input, fixed-size output. Any change to the input yields a completely different hash.

Real-world use cases

  • Verifying that a downloaded file matches the publisher's published hash.
  • Generating ETag values for HTTP responses.
  • Producing deterministic IDs for cache keys based on content.
  • Quickly comparing two large strings for equality (compare digests instead).
  • Demonstrating cryptographic concepts in a teaching context.

Tips & common mistakes

  • Always use SHA-256 or stronger for new security-sensitive uses.
  • Hashing passwords directly is dangerous. Use a slow KDF (bcrypt, argon2, scrypt) server-side.
  • A hash is irreversible: there is no "decode hash" button. If you need reversible encoding, you want Base64 or a real cipher.
  • Two inputs that hash to the same digest is a "collision". MD5 and SHA-1 have known collisions. SHA-256 and above are believed collision-resistant given current knowledge.

Frequently asked questions

Can I decode a hash back to the original input?

No. Cryptographic hashes are designed to be one-way. The only way to "reverse" a hash is to guess the input and compare — which is exactly what password-cracking software does.

Why are two different inputs producing the same hash?

They almost certainly are not — if you see this with SHA-256 or above, look for a bug in your code or a subtle whitespace difference you missed. Real collisions for SHA-256 have never been observed.

Is the hashing done in my browser?

Yes. SHA hashes use the browser's built-in SubtleCrypto API. MD5 (which the browser does not expose natively) is computed via a small JavaScript implementation that also runs locally.

Why is my SHA-256 output 64 characters long?

SHA-256 produces a 256-bit (32-byte) hash. Displayed in hexadecimal, each byte is two characters, so 64 characters total.

Related tools

Base64 EncoderJWT DecoderUUID GeneratorPassword Generator

Last updated: June 2026 · All processing happens locally in your browser.