Free Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from any text or file. Uses the browser's built-in Web Crypto API, so your data never touches a server. Free, unlimited, and instant.
- MD5
— - SHA-1
— - SHA-256
— - SHA-384
— - SHA-512
— - SHA3-256
— - SHA3-512
— - KECCAK-256
— - CRC32
—
Security note
Do not use MD5 / SHA-256 to store user passwords — they are too fast. Use bcrypt, scrypt, or Argon2 instead. These hashes are best for file checksums, cache keys, and HMAC signatures.
Algorithms
- MD5 / SHA-1: broken for security. Still useful for file checksums and cache keys.
- SHA-2 (256/384/512): modern default. Used in TLS, software signatures, Bitcoin.
- SHA-3 (256/512): newer standard, different algorithm. Backup if SHA-2 ever breaks.
- KECCAK-256: pre-NIST SHA-3 variant. Used by Ethereum.
- CRC32: not cryptographic. Used in ZIP files and Ethernet for integrity checking only.
Modes
- Text: hash arbitrary strings (UTF-8 encoded).
- File: hash any uploaded file. Useful for verifying downloads.
- HMAC: keyed hash for verifying webhook signatures (Stripe, GitHub, etc.). HMAC needs Web Crypto — SHA-2 family only.
- Verify: paste a published checksum, drop the file, see if they match.
Hash algorithms compared
| Algorithm | Output length | Safe for security? | Typical use |
|---|---|---|---|
| MD5 | 128 bits (32 hex) | No (broken) | File checksums, cache keys |
| SHA-1 | 160 bits (40 hex) | No (broken) | Legacy git commit IDs |
| SHA-256 | 256 bits (64 hex) | Yes | TLS certificates, Bitcoin, software signatures |
| SHA-512 | 512 bits (128 hex) | Yes | High-security applications, large data |
Common reasons to hash data
Verify file integrity
Download an ISO and check its SHA-256 hash matches the publisher's. If it does, the file is bit-perfect and untampered.
Cache invalidation keys
Hash request inputs to produce a deterministic cache key. Same input always produces the same hash.
Deduplication
Compare file hashes to detect duplicate uploads without comparing bytes directly.
Webhook signature verification
Stripe, GitHub, and most APIs sign webhook payloads with HMAC-SHA256 — you verify by recomputing and comparing.
Security warning
Do not use MD5, SHA-1, SHA-256, or SHA-512 to store user passwords. Plain hashes are too fast — attackers can guess billions of passwords per second on a GPU. For passwords, use a dedicated password-hashing function like bcrypt, scrypt, or Argon2 with a unique salt per user.
Frequently asked questions
Which hash algorithm should I use?
For file integrity verification: SHA-256 is the modern standard. For checksums in software downloads: SHA-256 or SHA-512. MD5 and SHA-1 are still common for non-security use cases like cache keys, but should NOT be used to hash passwords or for any cryptographic purpose — both have known collision attacks.
Can I use these hashes to store passwords?
No. Plain SHA-256 and MD5 are NOT safe for password storage because they are fast to compute, allowing attackers to brute-force billions of guesses per second. For passwords, use a password-hashing function like bcrypt, scrypt, or Argon2 with a unique salt per user.
What is a hash collision?
A collision is when two different inputs produce the same hash. Good cryptographic hashes (SHA-256, SHA-512) are designed so that finding a collision is computationally infeasible. MD5 and SHA-1 have known practical collisions, which is why they should not be used for security-critical applications.
Are my inputs uploaded to your server?
No. Hashing runs entirely in your browser using the Web Crypto API (or pure JS for MD5). Your text, files, and resulting hashes are never sent anywhere.
Can I reverse a hash to get the original text?
No. Cryptographic hashes are one-way functions by design. The only way to 'reverse' a hash is to try inputs until one matches — which is what password crackers do. For weak hashes of short common passwords, this is unfortunately fast (another reason to use bcrypt/Argon2 for passwords).
Other free tools
Generate MD5, SHA-1, SHA-256, SHA-512 hashes of text or files — all computed locally via the Web Crypto API. No uploads, no servers.
How to use
- 1Pick the hash algorithm.
- 2Paste text or upload a file.
- 3Hash computes instantly.
- 4Copy the hex hash.
Why use this tool
- Four major algorithms in one tool.
- File hashing — drop a 1 GB file, hash computes locally without upload.
- Cryptographic-grade via the browser's native Web Crypto API.
Real-world examples
Verify a download
Hash a downloaded ISO → compare to publisher's SHA-256 → confirm file wasn't tampered with.
Password hashing demo
Hash a password with SHA-256 to see what a stored hash looks like (use bcrypt/argon2 in production).