Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text input.
About Cryptographic Hash Functions
A cryptographic hash function takes an arbitrary-length input and produces a fixed-length digest. The same input always produces the same output, but even a single-bit change in the input produces a completely different hash. This property, called the avalanche effect, makes hashes useful for verifying data integrity: checksums, file deduplication, digital signatures, and password storage all rely on it.
MD5 (128-bit) and SHA-1 (160-bit) are widely deployed but cryptographically broken. Collision attacks against MD5 were demonstrated by Wang et al. in 2004, and a practical SHA-1 collision (SHAttered) was published by CWI Amsterdam and Google in 2017. Neither should be used for security purposes, but they remain common for non-security checksums and legacy systems.
SHA-256 and SHA-512 are members of the SHA-2 family designed by the NSA and published by NIST in 2001 (FIPS 180-2). As of 2026, no practical attacks exist against SHA-2. This tool computes all four hashes simultaneously using the Web Crypto API (SubtleCrypto), which runs natively in your browser with no server communication.
Frequently Asked Questions
What is a cryptographic hash function?
A cryptographic hash function takes an input of any length and produces a fixed-length output called a digest. The same input always produces the same digest, but even a single-bit change in the input produces a completely different hash (the avalanche effect). Hash functions are one-way: you cannot reverse a hash to recover the original input. They are used for data integrity checks, digital signatures, password storage, and deduplication.
Why are MD5 and SHA-1 considered broken?
MD5 and SHA-1 are considered cryptographically broken because researchers have demonstrated practical collision attacks against them. A collision means two different inputs produce the same hash. Wang et al. published MD5 collisions in 2004, and the SHAttered project (CWI Amsterdam and Google) produced a SHA-1 collision in 2017. This means an attacker can forge documents or certificates with matching hashes. Both algorithms remain useful for non-security checksums (verifying file downloads, cache keys), but should never be used for digital signatures, certificates, or password hashing.
What is SHA-256 used for?
SHA-256 is a member of the SHA-2 family published by NIST (FIPS 180-2). It produces a 256-bit (32-byte) digest and has no known practical vulnerabilities as of 2026. SHA-256 is used in TLS/SSL certificates, Bitcoin's proof-of-work algorithm, git commit hashes, code signing, HMAC-based authentication, and as the default hash in many security protocols. Its 256-bit output provides 128 bits of collision resistance, which is considered secure against both classical and near-term quantum computers.
Is this tool safe for sensitive data?
Yes. This tool computes hashes entirely in your browser using the Web Crypto API (SubtleCrypto) for SHA-1, SHA-256, and SHA-512, and a pure JavaScript implementation for MD5. No text you enter is ever sent to a server, stored in cookies, or saved in your browser history. You can verify this by opening your browser's network tab and confirming no requests are made when you type.
What is the difference between hashing and encryption?
Hashing is a one-way operation: it produces a fixed-length digest that cannot be reversed to recover the original input. Encryption is a two-way operation: encrypted data can be decrypted back to the original using a key. Hashing is used for integrity verification and password storage (where you only need to check equality, not recover the original). Encryption is used when you need to transmit or store data that must be readable later, such as messages, files, or database fields.