Overview
Generate cryptographic hashes for any text
A hash function takes any input and produces a fixed-length fingerprint of that input. Two important properties: the same input always produces the same hash, and even tiny changes to the input produce a completely different hash. Hashing powers password storage, file integrity checks, digital signatures, blockchain, content addressing, and dozens of other security and software systems.
ToolHub Hash Generator computes MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text. The SHA family uses the browser native Web Crypto API. MD5 uses a small bundled library since it is no longer in the browser standard. Everything runs locally.
Step-by-step
How to generate hashes
- 1
Type or paste your text
Drop any text into the input box. Hashes update live as you type. - 2
Pick which algorithms to show
Toggle the chips to enable or disable each algorithm. Most users only need SHA-256 in modern work, but having all five available is useful for verifying older data. - 3
Copy what you need
Each hash row has its own copy button. Toggle uppercase output if your downstream system expects it (some legacy tools do).
Background
The hash algorithms compared
| Algorithm | Notes | |
|---|---|---|
| MD5 | 128 bits, very fast | Cryptographically broken since 2004. Use only for non-security checksums. |
| SHA-1 | 160 bits, fast | Broken since 2017. Avoid for new work. Still used by some legacy systems. |
| SHA-256 | 256 bits, fast on modern CPUs | Current standard. Used in TLS, Bitcoin, Git, signatures. |
| SHA-384 | 384 bits | Used when extra margin over SHA-256 is desired (some government work). |
| SHA-512 | 512 bits, faster than SHA-256 on 64-bit CPUs | Current standard for high-security work. |
One-way means one-way
Hashes cannot be reversed. Given a hash, there is no mathematical way to recover the original input. Attackers can however try guessing inputs and checking if the hash matches (a brute-force attack), or use precomputed tables of common inputs (rainbow tables). This is why hashing alone is not enough to store passwords. Modern password storage uses purpose-built functions like bcrypt, scrypt, or Argon2 that add salt and slowness to defeat brute force.
Avalanche effect
A property of good hash functions: changing one bit of the input changes about half the bits of the output. This means you cannot tell from comparing hashes how similar two inputs were.
Use cases
When to use hashing
File integrity verification
Compute the hash of a downloaded file and compare to the publisher’s reference to detect tampering.
Detecting duplicate content
Hash a document or image to deduplicate against an existing collection.
Generating ETags
Web servers use hash-based ETags to detect when content changes and invalidate caches.
Idempotency keys
Hash request payloads so identical retries produce the same key, preventing duplicate operations.
Database lookups
Index large strings by their SHA-256 hash for fixed-size keys instead of variable-length text.
Signature verification
Sign the hash of a message rather than the message itself for efficient digital signatures.
Common questions
Which algorithm should I use?
For new code, SHA-256 is the default choice. Use SHA-512 for extra margin or when you need a longer hash. Use MD5 or SHA-1 only when integrating with legacy systems that require them.
Should I use this for password storage?
No. Plain SHA-256 of a password can be brute forced quickly with modern GPUs. Use a purpose-built password hashing function like bcrypt, scrypt, or Argon2. Those add salt and deliberate slowness.
Why are MD5 and SHA-1 still common?
They are still useful as fast non-security checksums (Git uses SHA-1 for content addressing, BitTorrent uses both). They are broken for cryptographic purposes (signatures, certificates), where they have been replaced by SHA-256 and beyond.
Can two different inputs produce the same hash?
Yes, this is called a collision. For SHA-256 and beyond, finding one is computationally infeasible with current technology. For MD5 and SHA-1, attackers have already published collision pairs.
100% private
Privacy and security
Hashing is local