VD
VisualDevTools
Advertisement
#

Hash Generator

Compute SHA-1, SHA-256, SHA-384, SHA-512, and MD5 hashes of any text or file. Output in hex or Base64. Verify file integrity, generate checksums, and compare digests — all in your browser, nothing uploaded.

Advertisement

Cryptographic Hashes: What They Do, What They Don't

A cryptographic hash is a one-way function that maps any-length input to a fixed-length output (the digest). The defining properties: identical inputs always produce identical outputs; even the smallest change to the input completely scrambles the output; and given the digest, it is computationally infeasible to recover the input or find a different input that produces the same digest.

Hashes are not encryption. There is no key, no decryption — the function is deliberately one-way. A hash digest tells you "this is the fingerprint of some data" but tells you nothing about the data itself. Don't use hashes to "hide" data; use them to verify integrity, build signatures, or derive keys.

The Algorithms in This Tool

  • SHA-256 (256-bit digest, 64 hex chars) — modern default. Fast, secure, supported everywhere. Used by Bitcoin, TLS certificates, GitHub commits (since 2025), and HMAC signing for most webhook providers.
  • SHA-512 (512-bit digest, 128 hex chars) — same family, larger output. Marginally faster on 64-bit CPUs. Use when you specifically need 512 bits of output (e.g., to seed key-derivation functions); SHA-256 is otherwise interchangeable.
  • SHA-384 — truncated SHA-512 to 384 bits. Used in some TLS cipher suites and certificate signing.
  • SHA-1 ⚠ (160-bit, 40 hex chars) — deprecated for security. Practical collision attacks exist (SHAttered, 2017). Still used for Git commits (transitioning to SHA-256), older HMAC contexts, and non-security checksums.
  • MD5 ⚠ (128-bit, 32 hex chars) — broken. Trivial collisions, fast brute force. Do not use for any security purpose. Acceptable for cache keys and accidental-corruption checks where collision resistance doesn't matter.

Common Use Cases

  • File integrity — download a file and a published checksum; compute the hash locally; compare. If they match, the file is intact and unmodified. Most major Linux distros publish SHA-256 alongside ISOs for this purpose.
  • Webhook signature verification — GitHub, Stripe, Slack sign each webhook payload with HMAC-SHA-256. The receiver computes the same HMAC and compares. See our Webhook Secret Generator for the keys; this tool is for the digest itself.
  • Content-addressed storage — IPFS, Git, and many caching systems use a hash of content as its address. Two pieces of identical data automatically dedupe.
  • Compare-without-revealing — store a SHA-256 of an email address to check membership in a list without storing the address itself. Adds privacy at the cost of being able to look up the original.
  • Pre-image detection — when you suspect data has been tampered with, hashing the current state and comparing against an old hash is the fastest way to confirm.

What Hashes Cannot Do

  • Hash passwords directly. SHA-256 is too fast. An attacker with a stolen hash database can compute billions of guesses per second on a single GPU. Always use a slow, salt-aware password hash: bcrypt, scrypt, or Argon2. Argon2id is the current OWASP recommendation.
  • Encrypt data. A hash cannot be reversed; if you need to retrieve the data later, use AES-256-GCM, ChaCha20-Poly1305, or libsodium. Hashes are for verification only.
  • Authenticate messages on their own. Use HMAC (Hash-based Message Authentication Code), which combines a hash with a secret key. HMAC-SHA-256 is the standard primitive for webhook signing and JWT signing.

Doing It in Code

// Browser (modern)
async function hash(s) {
  const buf = new TextEncoder().encode(s);
  const digest = await crypto.subtle.digest('SHA-256', buf);
  return [...new Uint8Array(digest)].map(b => b.toString(16).padStart(2,'0')).join('');
}

// Node.js
import { createHash } from 'crypto';
createHash('sha256').update(input).digest('hex');

// Python
import hashlib
hashlib.sha256(b'hello').hexdigest()

// Bash
echo -n 'hello' | sha256sum
shasum -a 256 file.bin                  // macOS/Linux
certutil -hashfile file.bin SHA256       // Windows

For HMAC (signing with a secret key), see our HMAC Generator. For specifically MD5 or SHA-256 in a single dedicated page, see MD5 or SHA-256.

How to Use

  1. Pick a source — Text or File. Files are read locally; nothing uploads.
  2. Tick the algorithms you want — SHA-256 by default, others on demand.
  3. Choose output format — hex, HEX, Base64, or Base64url.
  4. Hash updates live as you type. For files, click Compute (or change algorithms) to recompute.
  5. Copy any digest — hover a row for a per-row copy button.

Frequently Asked Questions

Which hash algorithm should I use?

For new applications: SHA-256 is the modern default. It's fast, well-supported, and considered secure against any practical attacker. SHA-512 is similar but with larger output (512 bits). Use SHA-1 only when verifying compatibility with legacy systems (Git commits, older SSL certificates) — it has known collision attacks and is deprecated for new security uses. MD5 is broken: don't use it for any security purpose. It's still acceptable for non-security checksums (file deduplication, cache keys) where collision resistance doesn't matter.

Is this safe to hash sensitive data with?

Yes. The hash computation uses the Web Crypto API (crypto.subtle.digest) and runs entirely in your browser tab. The text or file you provide is never sent to any server — there is no fetch(), no upload, no analytics. You can verify by opening DevTools → Network and watching: pasting text and clicking Hash produces no network traffic.

What's the difference between hex and Base64 output?

Both encode the same bytes, just differently. Hex (the default) uses 0–9 and a–f, two characters per byte — a SHA-256 digest is 64 hex characters. Base64 packs 6 bits per character, so the same digest is 44 characters (with padding) or 43 (Base64url, unpadded). Hex is easier to compare visually and is the standard format for Git commits, GitHub HMAC headers, and most checksum files. Base64url is denser and is used by JWT and modern web APIs.

Can I hash a file without uploading it?

Yes — drop a file onto the input area or click 'Choose file'. The browser reads it locally with the FileReader API, computes the hash with Web Crypto, and never transmits the file content anywhere. This works for files up to several hundred MB; larger files may stall the page because the entire file must be in memory. For multi-gigabyte files, use a command-line tool (sha256sum, openssl dgst, certutil).

Why are MD5 and SHA-1 still useful if they're broken?

'Broken' means the hash is no longer cryptographically secure — an attacker can engineer two different inputs that produce the same hash (a collision). That matters for digital signatures, certificate authorities, and any context where preventing forgery is the goal. It does NOT matter for checksums whose only job is detecting accidental corruption — if a file gets bit-rotted in transit, MD5 will still catch it. Lots of legacy infrastructure (older Linux package mirrors, Git internals) still uses these algorithms for non-adversarial integrity checks.

How do I do this from the command line?

Linux/macOS: `echo -n 'hello' | sha256sum` or `shasum -a 256 file.bin`. Use `-n` with echo to avoid the trailing newline, which changes the hash. Windows: `certutil -hashfile file.bin SHA256`. Cross-platform via openssl: `openssl dgst -sha256 file.bin` or `echo -n 'hello' | openssl dgst -sha256 -hex`. For all of these the output should match this tool's output byte-for-byte (assuming you remembered the -n).

Comments

No comments yet. Be the first!