What is a hash function?

A hash function takes input data of any size and produces a fixed-size output (the hash or digest) that uniquely represents that input. Even a 1-bit change in the input produces a completely different hash. Cryptographic hash functions are one-way – given the hash, you can’t reverse-engineer the input. They’re the foundation of digital signatures, file integrity verification, password storage (via salt+hash), blockchain mining, and software distribution (the checksums you see when downloading installers). This tool generates 5 hash types: MD5 (legacy, 128-bit), SHA-1 (deprecated for crypto), SHA-256 (recommended modern standard), SHA-384, and SHA-512. All computation happens in your browser using the Web Crypto API – your data never leaves your device.

How to use this tool

1. Enter text to hash — Type or paste any text – a word, a passphrase, an entire document. UTF-8 supported.
2. Optional: uppercase output — Toggle to display hex characters as uppercase (some systems require this format).
3. Read all hashes instantly — MD5, SHA-1, SHA-256, SHA-384, SHA-512 all calculated as you type. Each is a fixed length: MD5=32 chars, SHA-256=64 chars, SHA-512=128 chars.
4. Copy the hash you need — Click any hash field to select all, then Ctrl+C to copy. Use it for checksum verification, signing, etc.

Hash algorithm comparison

• MD5 (1992) – 128-bit. Cryptographically broken since 2004. Still used for non-security checksums, cache keys, ETags.
• SHA-1 (1995) – 160-bit. Deprecated for crypto since 2017 (Google’s SHAttered attack). Still in old git, legacy systems.
• SHA-256 (2001) – 256-bit. Current default for crypto. Used by Bitcoin, TLS certificates, code signing.
• SHA-384 (2001) – 384-bit. Higher security margin. Used in some military/government applications.
• SHA-512 (2001) – 512-bit. Maximum security. Used for high-stakes signing, future-proofing.

All SHA-2 functions (SHA-256/384/512) are considered secure for general use. SHA-3 (Keccak family, 2015) provides backup if SHA-2 ever gets broken.

Examples

Hash of ‘hello’ produces:

• MD5: 5d41402abc4b2a76b9719d911017c592
• SHA-1: aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
• SHA-256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
• SHA-512: 9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043

Hash of ‘Hello’ (capital H): Completely different despite 1-bit input change – the avalanche effect.

Tips & best practices

• Use SHA-256 as default for any new project requiring hash – widely supported, secure for foreseeable future
• Never use MD5 or SHA-1 for passwords – they’re too fast (billions of guesses per second). Use bcrypt, argon2, or scrypt designed for password hashing
• Always include a unique ‘salt’ when hashing passwords – prevents rainbow table attacks. Store salt+hash, not just hash
• Hash verifying file downloads: compare your computed hash against the publisher’s published hash to verify integrity
• Use git’s SHA-1 commit hashes for changeset identity, not for security (git itself is moving toward SHA-256)
• Cache keys benefit from MD5 – speed matters more than security, collisions are extremely unlikely

Limitations & notes

MD5 and SHA-1 are broken for cryptographic use – never use them for security signatures, certificates, password storage. SHA-256 is computationally cheap (billions of hashes per second on modern hardware) which is why it’s not suitable for password storage – you want SLOW hashing for passwords. Web Crypto API requires HTTPS (which this site uses) – won’t work on http:// pages.

Frequently Asked Questions

Which hash should I use for new projects?

SHA-256 is the modern default. It’s secure, widely supported in every language and library, and computationally efficient. Use SHA-384 or SHA-512 only if you specifically need higher security margins.

Is MD5 still useful?

For non-security uses, yes: file checksums (detecting accidental corruption), cache keys (uniqueness, not security), ETags, database deduplication. NEVER use MD5 for passwords, digital signatures, or any security-critical purpose.

Why can’t I reverse a hash?

Hash functions are designed to be one-way. They reduce data of any size to a fixed output – billions of inputs map to the same hash space (collisions are mathematically inevitable but extremely rare). ‘Reversing’ would require trying all possible inputs – which is computationally infeasible for SHA-256 (2^256 possibilities = more than atoms in the universe).

How are passwords usually stored?

NEVER as plain text. NEVER as raw hash. Properly: (1) Generate a unique random ‘salt’ for each user, (2) Combine password + salt, (3) Run through a slow hash function like bcrypt, argon2, or scrypt (NOT SHA-256), (4) Store {salt, hash} in database. On login, recompute and compare. The slow hash makes brute force impractical.

What’s a hash collision?

When two different inputs produce the same hash. Theoretically inevitable since infinite inputs map to finite hash space. For SHA-256, finding a collision requires ~2^128 operations – infeasible. For MD5, collisions can be deliberately constructed in seconds (which is why MD5 is broken for security).

Are these hashes computed locally or sent to a server?

100% local. The tool uses your browser’s built-in crypto.subtle.digest() API plus an embedded JavaScript MD5 implementation. Your text never leaves your device. You can verify by disabling internet after the page loads – hashes still work.

What’s the difference between SHA-2 and SHA-3?

SHA-2 (which includes SHA-256, 384, 512) uses Merkle-Damgard construction from 2001. SHA-3 uses Keccak sponge construction from 2015 – completely different internal design. Both are currently secure. SHA-3 exists as a backup if SHA-2 ever gets broken. For now, SHA-256 is the practical default everywhere.

Related tools

Password Generator · UUID Generator · Base64 Encoder