Hash Generator
Input
Hash Results
MD5128-bit
SHA-1160-bit
SHA-256256-bit
SHA-384384-bit
SHA-512512-bit
Verify

Hash Generator Online — MD5, SHA-1, SHA-256, SHA-384, SHA-512 & HMAC

Share

About this tool

What Is a Cryptographic Hash Generator and How Does It Work?

A cryptographic hash function is a mathematical algorithm that takes any input — a word, a paragraph, a JSON payload, or an entire file — and produces a fixed-length string of hexadecimal characters called a hash, digest, or checksum. This online hash generator computes five of the most widely used hash algorithms simultaneously: MD5 (32 hex characters), SHA-1 (40 characters), SHA-256 (64 characters), SHA-384 (96 characters), and SHA-512 (128 characters). All five hashes appear at once as you type — no button click, no page reload, and no server round-trip. Everything runs in your browser using the native WebCrypto API for SHA algorithms and a pure JavaScript implementation for MD5.

Hash functions have three critical properties that make them useful in security and data integrity applications. First, determinism: the same input always produces exactly the same hash — "hello" always hashes to the same 64 hex characters with SHA-256, on any machine, in any language. Second, the avalanche effect: changing even a single character in the input produces a completely different hash — "hello" and "Hello" have hashes that share no recognizable relationship. Third, one-way (pre-image resistance): given a hash output, it is computationally infeasible to reverse the calculation to find the original input. You cannot "decode" a hash — you can only compare it against the hash of a known value. These properties make hashes fundamental to file integrity verification, password storage (with proper salting), digital signatures, and API authentication.

HMAC (Hash-based Message Authentication Code) extends plain hashing by combining the hash function with a secret key. A standard SHA-256 hash of "hello" is always the same — any attacker can replicate it. An HMAC-SHA256 of "hello" with the secret key "mysecret" produces a unique code that only someone who knows the key can reproduce. This makes HMAC the basis of authenticated API communication: the server and client share a secret key, the client signs each request payload with HMAC-SHA256, and the server verifies the signature to confirm the request is authentic and untampered. AWS Signature Version 4, Stripe webhook verification, GitHub webhook payloads, and JWT HS256/HS512 signing all use HMAC. This tool's HMAC mode supports SHA-1, SHA-256, SHA-384, and SHA-512 with any secret key.

The hash verification feature is one of the most practical features for security-conscious developers and sysadmins. Software distributors publish SHA-256 or MD5 checksums alongside their downloads so users can confirm the file they received is identical to what was published. Hash the downloaded file using this tool's File mode, paste the published checksum into the Verify field, and a green checkmark instantly confirms the file is authentic — or a red indicator shows a mismatch that could indicate tampering, a corrupted download, or the wrong file version. The tool automatically identifies which algorithm a pasted hash belongs to by its length (32 chars = MD5, 40 = SHA-1, 64 = SHA-256, 96 = SHA-384, 128 = SHA-512) so you do not need to specify the algorithm manually.

Features

  • Five hash algorithms at once — MD5, SHA-1, SHA-256, SHA-384, SHA-512 computed simultaneously
  • Live text hashing — all five hashes update in real time as you type
  • File hashing — drag & drop or upload any file, any size, computed entirely in the browser
  • HMAC mode — generate authenticated message authentication codes with a secret key (SHA-1/256/384/512)
  • Hash verification — paste an expected hash to instantly confirm match or mismatch with auto-algorithm detection
  • Uppercase/lowercase toggle — switch hex output between lowercase and uppercase for any convention
  • Copy individual algorithm hash or copy all results formatted in one click
  • WebCrypto API for SHA algorithms — hardware-accelerated native browser cryptography
  • 100% client-side — no text, file content, or HMAC secret key is ever uploaded to any server
  • Works offline once the page has loaded

How to Use

Choose Text or File mode from the toggle in the tool header. In Text mode, type or paste any text into the input area — all five hashes (MD5, SHA-1, SHA-256, SHA-384, SHA-512) update live as you type. There is no length limit on the text input. The hashes reflect the UTF-8 encoding of the text, which is standard for all web and API contexts.

In File mode, drag and drop any file onto the upload area or click to open the file browser. The tool reads the entire file as a byte array in your browser using the FileReader API and feeds it directly to the WebCrypto and MD5 hash functions. All five hashes appear as soon as the file is read — typically within a second even for large files. The file is never uploaded to any server. This is the correct way to generate SHA-256 checksums for downloaded files, built artifacts, or any binary content where the exact byte sequence matters.

To use HMAC mode, click the HMAC toggle in the header. An additional secret key input field appears. Enter your HMAC secret key (any string), then type or upload your message data as normal. HMAC results appear for SHA-1, SHA-256, SHA-384, and SHA-512 — MD5 is excluded from HMAC mode because MD5 is cryptographically broken and HMAC-MD5 is not considered secure for authentication purposes. The HMAC output for each algorithm changes if either the key or the message changes — even a single character difference in either produces a completely different HMAC. This exactly matches the behavior of HMAC implementations in all programming languages and API signing libraries.

Use the Uppercase toggle to switch all hash outputs between lowercase hex (the most common convention in web and Linux tools) and uppercase hex (used by some Windows tools and certain API specifications). Both representations are mathematically identical — they differ only in character case. Click any individual copy icon to copy just that algorithm's hash, or click Copy all to get all five hashes formatted in a labeled list — useful for sharing or including in release notes.

To verify a hash, paste the expected hash value into the Verify field at the bottom of the results panel. The tool reads the hash length to determine which algorithm it belongs to (32 hex chars = MD5, 40 = SHA-1, 64 = SHA-256, 96 = SHA-384, 128 = SHA-512), then compares it against the hash it computed from your current input. A green checkmark and "Match" label confirms the data matches the expected hash. A red "Mismatch" label indicates the hash does not match — the file may be corrupted, tampered with, or you may be verifying against the wrong algorithm's output.

Common Use Cases

🔒
File Integrity Verification
Hash a downloaded ISO, installer, archive, or binary and compare it against the official SHA-256 or MD5 checksum published by the software vendor. Confirms the file was not corrupted during download and has not been tampered with by a third party.
🔑
API Request Signing with HMAC
Use HMAC-SHA256 mode to sign API request payloads with a secret key — matching the signature scheme used by AWS Signature Version 4, Stripe webhook verification, GitHub webhook validation, and most modern HMAC-based API authentication systems.
🪙
JWT Signature Verification
Compute HMAC-SHA256 or HMAC-SHA512 signatures for JSON Web Token header.payload strings during development and debugging to understand how JWT signing works or to manually verify a token signature without a library.
🗃️
Content Fingerprinting & Deduplication
Hash files or text blocks with SHA-256 to create unique content identifiers. Two inputs that produce the same SHA-256 hash are, for all practical purposes, identical — making hash-based deduplication reliable for storage systems, caches, and content-addressable filesystems.
🛡️
Understanding Password Storage
Explore why MD5 and SHA-1 are insufficient for password storage by seeing how fast they run and understanding the absence of a salt. Understand why bcrypt, scrypt, and Argon2 — which are intentionally slow and include built-in salting — are required for secure password hashing.
📦
Build Artifact Checksums
Generate SHA-256 hashes for build artifacts, Docker image layers, NPM packages, and deployment binaries to pin exact versions in CI/CD pipelines and detect supply chain tampering by comparing build output hashes across environments.

Frequently Asked Questions

A cryptographic hash function takes any input (text, file, or binary data) and produces a fixed-length hexadecimal string called a hash or digest. The same input always produces the same output — this is determinism. A single changed character in the input produces a completely different hash — this is the avalanche effect. Hashes are one-way: given only the hash output, it is computationally infeasible to reconstruct the input. These properties make hashes useful for verifying data integrity (did this file change?), storing passwords safely (store the hash, not the password), and authenticating messages (HMAC).

MD5 produces a 128-bit (32 hex character) hash and is fast, but cryptographically broken — intentional collisions can be generated in seconds on modern hardware. SHA-1 produces a 160-bit (40 hex character) hash and is also considered cryptographically weak — collision attacks against SHA-1 have been demonstrated. SHA-256 is part of the NSA-designed SHA-2 family, produces a 256-bit (64 hex character) hash, and is the current industry standard for data integrity and digital signatures. SHA-384 and SHA-512 are larger SHA-2 variants producing 384-bit (96 chars) and 512-bit (128 chars) hashes respectively — slower and larger, providing additional security margin for high-security applications.

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a message authentication code. A plain SHA-256 hash is public and reproducible — any attacker who knows the algorithm (which is always public) can hash any message they want. An HMAC-SHA256 signature requires knowing the secret key to reproduce, making it impossible to forge without that key. Use HMAC when you need to prove both that data has not been tampered with (integrity) AND that the sender had access to the secret key (authenticity). Common applications: API request signing (AWS, Stripe, GitHub), JWT HS256/HS512 token signing, cookie integrity verification, and webhook payload authentication.

MD5 is safe only for non-security purposes where collision resistance is not required — for example, detecting accidental file corruption, generating quick content fingerprints, or as a cache key where attackers have no motive to engineer collisions. It is cryptographically broken for all security-sensitive applications: intentional collisions can be generated in seconds, and MD5 password hashes can be cracked rapidly using rainbow tables. Never use MD5 for passwords, digital signatures, or any integrity check where an attacker might be motivated to create two different inputs with the same hash. Use SHA-256 or higher for all security-critical uses.

Switch to File mode using the toggle at the top. Upload the file by clicking the upload area or dragging and dropping it — the tool reads the file in your browser and displays all five hash values immediately. Find the checksum published by the software vendor (typically a SHA-256 hash listed on the download page or in a separate .sha256 file). Paste that checksum string into the Verify field below the hash results. The tool automatically identifies which algorithm the hash belongs to based on its length and highlights whether it matches the computed hash with a green checkmark (match) or red indicator (mismatch).

Use SHA-256 as the default for all new security applications — file integrity checks, API signing, digital signatures, and certificate fingerprints. Use SHA-512 when you need the highest security margin or when working with hardware that is faster at 64-bit operations (SHA-512 can be faster than SHA-256 on 64-bit hardware for large inputs). Use HMAC-SHA256 or HMAC-SHA512 for message authentication and API signing. Use MD5 only for non-security purposes like detecting accidental corruption or as a legacy identifier in systems that require it. Avoid SHA-1 for new systems — it is deprecated for all security purposes.

Yes — 100% private. All hashing runs entirely in your browser using the native WebCrypto API for SHA-1, SHA-256, SHA-384, and SHA-512, and a pure JavaScript implementation for MD5. No text input, file content, or HMAC secret key is ever transmitted to any server. The tool works completely offline once the page has loaded. It is safe to use with passwords you want to understand, proprietary file content, API secret keys, and any data you would not want to share with a third-party service.

Hash output length directly identifies the algorithm: MD5 produces 32 hex characters (128 bits), SHA-1 produces 40 hex characters (160 bits), SHA-256 produces 64 hex characters (256 bits), SHA-384 produces 96 hex characters (384 bits), and SHA-512 produces 128 hex characters (512 bits). When you paste a hash into the Verify field, the tool uses these lengths to automatically identify which algorithm it came from — so you never need to manually specify "this is a SHA-256 hash". If a hash is 64 characters, it must be SHA-256 (or SHA-3-256, which produces the same length but a different hash).

Yes. The File mode uses the browser's FileReader API to read the entire file as an ArrayBuffer and passes it directly to the WebCrypto API's SubtleCrypto.digest() method. There is no file size limit imposed by this tool — WebCrypto handles large files efficiently. For very large files (multiple gigabytes), reading and hashing may take several seconds because the entire file must be read into memory. The UI shows a loading state during hashing so you know it is processing. The WebCrypto API is hardware-accelerated in all modern browsers, making SHA-256 hashing of typical software downloads (a few hundred megabytes) complete in under a second on most devices.