Skip to main content

Hash Generator

What it does

The Hash Generator computes five common cryptographic digests of any input text — MD5, SHA-1, SHA-256, SHA-384, and SHA-512 — and shows them side by side. The SHA family runs through the browser’s built-in SubtleCrypto API; MD5 is computed inline via the well-known spark-md5 library. The result is one input, five hashes, all lazily updated as you type.

Common situations

You’re verifying a downloaded file matches the publisher’s stated hash. The vendor publishes SHA-256: a1b2c3... for a release; you want to confirm the file you have produces the same value. (For text-based content, paste here. For binary files, run shasum -a 256 file in a terminal.)

You’re hashing a string for use as a deterministic cache key, ETag, or content-addressable identifier. The same input produces the same output forever; using the hash as a key means equivalent values share storage automatically.

You’re debugging an HMAC signature mismatch on a webhook. The webhook arrives with a signature header; your code computes its own HMAC and rejects the match. Computing the hash of variants of the payload here (with and without trailing whitespace, with different line endings, with or without a trailing newline) usually reveals which difference is the culprit.

You’re producing fingerprints for a deduplication system. Two pieces of content with the same hash are byte-identical; two with different hashes differ somewhere. Hashing both sides of a candidate-duplicate question gives a definite answer faster than diffing.

You’re auditing a system that stores password hashes and need to confirm the algorithm is appropriate. If you see SHA-256 used directly for password hashing, that is a bug — SHA-256 is too fast and not designed for password verification. Identifying the algorithm via this tool (compare the stored format to known SHA-256 hex output) is the diagnostic step.

What you need to know

Each SHA algorithm runs crypto.subtle.digest(name, bytes), the same primitive every modern browser uses for SubresourceIntegrity, WebCrypto signing, and TLS internals — it is not a library, it is the platform. The input is encoded as UTF-8 before hashing, so non-ASCII characters produce stable output regardless of how the source was authored.

MD5 is not part of SubtleCrypto (deliberately — it is broken for security). For practical use cases that still need MD5 (legacy ETags, file checksums against old reference values, content addressing where speed matters more than cryptographic strength), the spark-md5 library provides a reliable implementation. The tool reaches for that only for MD5; everything else uses native crypto.

The hash output sizes are fixed per algorithm:

  • MD5 — 128 bits, 32 hex characters
  • SHA-1 — 160 bits, 40 hex characters
  • SHA-256 — 256 bits, 64 hex characters
  • SHA-384 — 384 bits, 96 hex characters
  • SHA-512 — 512 bits, 128 hex characters

Cryptographic strength varies. MD5 is broken — researchers can produce collisions on demand (two inputs that hash to the same value). SHA-1 is also broken (Google demonstrated a collision in 2017). SHA-256 and SHA-512 are currently considered secure for non-password use cases. SHA-384 is SHA-512 truncated to 384 bits, used in some standards for compatibility reasons.

Password hashing is a separate problem. None of these algorithms are appropriate for storing passwords. Their job is to be fast — exactly what you do not want for password verification, where you want each guess to take a measurable amount of time. Use bcrypt, scrypt, or Argon2 for passwords. SHA-256 of a password is a security incident waiting to happen.

Hex case is conventionally lowercase, which is what the tool produces. Some systems uppercase; comparing hashes should be case-insensitive after length validation.

For HMAC (hash-based message authentication, used for webhook signing and JWT signatures), the algorithm name is HMAC-SHA256 or similar — a hash combined with a secret key. The tool produces plain hashes, not HMACs. For HMAC verification, browser SubtleCrypto’s HMAC algorithm is the right primitive.

Frequently asked questions

What is a cryptographic hash?

A function that produces a fixed-length output from any input, with the property that changing the input changes the output unpredictably and finding two inputs with the same output is computationally hard. Used for content addressing, integrity verification, and signature schemes.

What’s the difference between SHA-1, SHA-256, and SHA-512?

The number is the output size in bits. SHA-1 is 160 bits, SHA-256 is 256 bits, SHA-512 is 512 bits. Larger output sizes provide stronger collision resistance. SHA-1 is broken (collision-vulnerable); SHA-256 and SHA-512 are currently secure.

Should I use MD5 in 2026?

Only for non-security uses (cache keys, ETags, content addressing where the threat model does not include attackers forging hashes). For anything security-relevant, MD5 is broken — use SHA-256 or stronger.

Why can’t I use SHA-256 for password hashing?

SHA-256 is fast — too fast. An attacker with a leaked password database can try billions of password guesses per second. Password hashing algorithms (bcrypt, scrypt, Argon2) are deliberately slow and memory-hard, which limits attack speed. Use them, not SHA family.

How do I verify a file’s checksum?

For text content, paste here and compare to the published hash. For binary files, use a CLI tool: shasum -a 256 filename (Linux/macOS) or Get-FileHash filename -Algorithm SHA256 (Windows PowerShell). Compare the output to the publisher’s value.

Are hash collisions possible?

For MD5 and SHA-1, yes — researchers and attackers can produce them. For SHA-256 and SHA-512, theoretically yes (any fixed-output hash function has collisions), but no one has produced one and the search space is astronomically large.

What’s the difference between a hash and an HMAC?

A hash takes input and produces output. An HMAC takes input plus a secret key and produces output. HMAC’s purpose is to prove that the input was processed by someone who knows the key. Use HMAC for webhook signing, JWT signatures (HS256), and message authentication.

Why do hashes appear in different cases sometimes?

Hex output is conventionally lowercase but uppercase is also valid. Both represent identical bytes. When comparing hashes, do a case-insensitive compare to avoid false negatives.

Can I hash a file in the browser?

Yes — read the file via FileReader, pass the bytes to crypto.subtle.digest. This tool handles text only; for files, a small custom page or a CLI tool is the right choice.

Common problems

Problem: My computed hash differs from the reference hash by exactly one character at the end.

Trailing whitespace or newline. Many text editors add a final newline that the original did not have, or strip one that it did. Hash both with and without the trailing character to confirm which version produces the reference value.

Problem: Hash works on my machine but fails on the server.

Encoding differences. The tool encodes input as UTF-8; some systems use Latin-1 or Windows-1252 by default. For non-ASCII characters, ensure both ends use UTF-8 explicitly.

Problem: SHA-1 hash of a Git commit does not match what git show reports.

Git’s commit hash is the SHA-1 of the commit object including its header, not just the message. Use git cat-file commit <commit-hash> to see the full content that gets hashed. The structure includes tree, parent, author, committer, and message — all in a specific format.

Problem: MD5 produces different output than my old PHP script.

Likely encoding. PHP’s md5() works on byte strings; if the input was encoded differently (Latin-1 vs UTF-8), the byte sequences differ and so do the hashes. Check the encoding of the original input.

Problem: HMAC signature verification fails despite matching algorithm and key.

Signature mismatches usually trace to: different bytes being signed (line endings, trailing newlines, encoding); wrong key (typo, wrong environment’s key, base64 vs hex confusion); wrong algorithm (HMAC-SHA256 vs HMAC-SHA1). Check each variable systematically.

Quick guides

For file integrity verification: Use a CLI tool (shasum, sha256sum, Get-FileHash) on the file directly. The tool here is for text content; binary files need binary-mode hashing.

For HMAC signing in JavaScript: Use SubtleCrypto’s crypto.subtle.sign('HMAC', key, data). The result is a binary signature; convert to hex or base64 for transport.

For password hashing: Do not use this tool. Use bcrypt (every language has a library), scrypt, or Argon2. Set the work factor high enough that hashing takes ~100ms — slow enough to deter brute-force, fast enough to not bottleneck logins.

Tips

  • For password storage, do not use anything in this list. MD5 and SHA-1 are broken; SHA-256 and SHA-512 are too fast and not designed for password verification. Use bcrypt, scrypt, or Argon2.
  • SHA-256 is the right default for most non-password use cases — strong enough for security work, fast enough for anything content-based, and supported everywhere.
  • MD5 still has legitimate uses for non-adversarial integrity (cache keys, content addressing, file deduplication). It is broken against attackers who can forge collisions, not against random corruption.
  • Hashing the same input always produces the same output. If your hash differs from a reference hash, the input differs — line endings, trailing whitespace, or character encoding are the usual culprits.
  • The order of digits matters. Hex is conventionally lowercase; some systems uppercase. Compare lengths first (32 chars for MD5, 40 for SHA-1, 64 for SHA-256, 96 for SHA-384, 128 for SHA-512), then case-insensitively if lengths match.
  • For HMAC, you need a secret key as well as the message — different from plain hashing.
  • When hashing JSON for content addressing, sort keys first via the JSON Formatter. Otherwise key-order changes produce different hashes for semantically identical content.

Related tools in this suite

The natural pairing is the JWT Decoder — JWT signatures are HMAC variants of these hash algorithms, and a hash generator is the sanity-check tool when investigating signature mismatches. The Base64 Text tool is the right partner when the hash is conveyed in base64 form rather than hex.

Take it further

Hashing strategy is a system-level decision: which algorithm, against what input, with what salt, stored where. Picking each piece independently produces inconsistencies. The services we deliver often include cryptography review work — verifying that the parts of a system that handle sensitive data are using the right primitives the right way, with documented rationale for each choice.