Can a hash be reversed to get the original input?

No. Hash functions are one-way. There is no algorithm to recover input from the hash alone. Common short inputs can be found via rainbow tables, which is why passwords must use a key derivation function like bcrypt or Argon2, not a raw hash.

Is my data safe when using this online hash generator?

Yes. All hashing runs in your browser. Your input is never sent to any server. The Web Crypto API used for SHA algorithms is a native browser API. The tool works offline.

Why is SHA-1 still shown if it is deprecated?

SHA-1 is still in widespread use for non-security purposes: Git commit IDs, legacy certificate chains, checksums in older systems. Showing it lets you verify existing SHA-1 checksums. For new applications, use SHA-256 or SHA-512.

Why do different tools produce different hashes for the same text?

The most common cause is line ending differences (CRLF vs LF) or encoding differences (UTF-8 vs UTF-16). This tool hashes the raw UTF-8 encoding of the input text.

What is the difference between a hash and encryption?

Hashing is one-way: you cannot recover the input from the hash. Encryption is two-way: encrypted data can be decrypted with the right key. Use hashing for integrity verification and passwords. Use encryption for confidentiality.

Hash Generator

Compute MD5, SHA-1, SHA-256, and SHA-512 hashes instantly — text or file, 100% in-browser

Input

Input Text

0 chars

MD5 128-bit

Enter text or drop a file to compute

SHA-1 160-bit

Enter text or drop a file to compute

SHA-256 256-bit

Enter text or drop a file to compute

SHA-512 512-bit

Enter text or drop a file to compute

Input: —

Mode: text

Case: lowercase

Free Online Hash Generator — MD5, SHA-1, SHA-256, SHA-512

Compute cryptographic hashes for any text string or file instantly with our free online hash generator. All four major hash algorithms run simultaneously as you type — no button clicks needed, no signup required. Processing happens entirely in your browser using the native Web Crypto API (SubtleCrypto) and SparkMD5 for MD5 — your data never leaves your device.

How to Use This Hash Generator

Select Text mode and paste or type your input — all four hashes update in real time
Switch to File mode to hash a file: drag and drop or click "Browse" to select
Click any individual Copy button to copy that algorithm's hash to your clipboard
Use Uppercase in the controls to toggle between lowercase and uppercase hex output
Use Copy All to copy all four hashes at once in a formatted block

What is a Hash Function?

A cryptographic hash function takes input data of any size and produces a fixed-length output called a digest or hash. The same input always produces the same hash — this property is called determinism. Even a single character change in the input produces a completely different hash — this is called the avalanche effect.

Hash functions are one-way: given only the hash, there is no algorithm to recover the original input. This makes them useful for verifying data integrity (you can compare hashes without comparing the data itself), storing passwords (store the hash, not the password), digital signatures, and content addressing.

The four algorithms in this tool cover the full spectrum from fast-but-broken (MD5) to the current security standard (SHA-256/SHA-512).

MD5

MD5 (Message Digest 5) produces a 128-bit hash represented as 32 hexadecimal characters. Developed by Ronald Rivest in 1991, MD5 was widely used for checksums and password hashing. MD5 is not cryptographically secure — collision attacks exist and have been demonstrated practically (two different inputs that produce the same MD5 hash). The SHAttered attack and other techniques have made MD5 unsuitable for any security-sensitive purpose.

MD5 is safe to use for: verifying file integrity where an attacker is not involved (e.g., checking a download wasn't corrupted in transit), deduplicating files in storage systems, and non-security checksums in closed systems. Never use MD5 for: password hashing, digital signatures, TLS certificates, or anything security-critical.

SHA-1

SHA-1 (Secure Hash Algorithm 1) produces a 160-bit hash represented as 40 hexadecimal characters. Designed by the NSA and published by NIST in 1995, SHA-1 was the dominant hash function through the 2000s. NIST deprecated SHA-1 in 2011. In 2017, Google's Project Zero published the SHAttered attack — a practical SHA-1 collision requiring about 6,500 CPU years of computation, proving SHA-1 is broken for security purposes.

SHA-1 persists in Git commit IDs (Git is migrating to SHA-256) and legacy certificate chains. For new applications, use SHA-256 or SHA-512.

SHA-256

SHA-256 is part of the SHA-2 family and produces a 256-bit hash represented as 64 hexadecimal characters. Designed by the NSA and published by NIST in 2001, SHA-256 is the current standard for most security-sensitive applications. No practical attack against SHA-256 exists.

SHA-256 is used in: TLS/HTTPS certificates (the web's security layer), code signing (software distribution integrity), Bitcoin (proof-of-work mining and transaction hashing), password hashing (often as the underlying primitive in PBKDF2 or bcrypt), and HMAC signatures (API authentication).

SHA-512

SHA-512 produces a 512-bit hash represented as 128 hexadecimal characters. It belongs to the same SHA-2 family as SHA-256. SHA-512 uses 64-bit words internally, which makes it faster than SHA-256 on 64-bit processors but slower on 32-bit hardware and in some JavaScript environments.

SHA-512 is used when extra collision resistance is needed or when processing large volumes of data on modern 64-bit servers. It is also the preferred choice for password key derivation in some schemes (like bcrypt's underlying structure) because its larger internal state provides more security margin.

Choosing the Right Hash Algorithm

Algorithm	Output length	Security status	Speed (64-bit)	Best use case
MD5	128-bit / 32 chars	Broken	Fastest	Non-security checksums, legacy compatibility, file dedup
SHA-1	160-bit / 40 chars	Deprecated	Fast	Legacy systems only (Git, old TLS verification)
SHA-256	256-bit / 64 chars	Current standard	Moderate	TLS certificates, code signing, API signatures, general security
SHA-512	512-bit / 128 chars	Current standard	Fast on 64-bit	High-security needs, key derivation, 64-bit performance paths

Common Use Cases

File integrity verification — Compute SHA-256 of a file before and after transfer. If the hashes match, the file wasn't corrupted or tampered with.
Password storage — Never store raw passwords. Store bcrypt(password) or PBKDF2(password, salt) — both use SHA-2 internally. Never use raw MD5 or SHA-1 for passwords.
API request signing — HMAC-SHA256 authenticates API requests. The server computes the same hash and verifies the signature matches.
Content addressing — Git uses SHA-1 (migrating to SHA-256) to address commits, trees, and blobs. IPFS uses SHA-256. Docker image layers are identified by SHA-256 digests.
Deduplication — MD5 or SHA-256 fingerprints let you detect duplicate files without comparing byte-by-byte.
Checksums in package managers — npm, pip, apt, and Homebrew all use SHA-256 checksums to verify downloaded packages weren't tampered with.

When you need to generate unique identifiers (not hashes), use our UUID Generator. When you need to format or validate JSON data, use our JSON Formatter.

Frequently Asked Questions

Is this hash generator free to use?

Yes, completely free. No signup, no account required. All hashing runs in your browser using native JavaScript APIs — there is no backend service processing your data.

What is MD5 used for?

MD5 is commonly used for non-security checksums: verifying a downloaded file wasn't corrupted in transit, deduplicating files in storage systems, and as a fast fingerprint where collision resistance doesn't matter. It should never be used for passwords or digital signatures — its collision vulnerability makes it unsafe for those purposes.

What is the difference between SHA-256 and SHA-512?

Both are secure SHA-2 family algorithms. SHA-256 produces a 64-character hex digest; SHA-512 produces 128 characters. SHA-512 uses 64-bit words internally, making it faster than SHA-256 on 64-bit CPUs but slower on 32-bit hardware. For most applications SHA-256 is the standard choice. SHA-512 is preferred when maximum collision resistance or 64-bit performance matters.

Can a hash be reversed to recover the original input?

No. Hash functions are designed to be one-way: there is no algorithm to recover the input from the hash alone. However, common inputs (like short passwords or known strings) can be found via precomputed rainbow tables or brute force. For passwords, always use a proper key derivation function (bcrypt, scrypt, Argon2) which adds a salt and cost factor — not a raw hash.

Is my data safe when using this tool?

Yes. All hashing runs in your browser using JavaScript — your input is never sent to any server. The Web Crypto API (SubtleCrypto) used for SHA-1/SHA-256/SHA-512 is a native browser API with no network component. SparkMD5 for MD5 is also pure JavaScript. The tool works offline once loaded.

Why is SHA-1 still shown if it's deprecated?

SHA-1 appears because it is still in widespread use for non-security purposes: Git commit IDs, legacy certificate chains, checksum verification in older systems. Showing it lets you verify or match existing SHA-1 checksums without switching tools. If you're choosing an algorithm for a new application, use SHA-256 or SHA-512.

Why do different tools sometimes produce different hashes for the same text?

The most common cause is line ending differences: Windows uses CRLF ( ), Unix uses LF ( ). Pasting from a Windows text editor into a Unix tool changes the byte sequence, producing a different hash. Encoding also matters: UTF-8 and UTF-16 representations of the same text have different byte sequences. This tool hashes the raw UTF-8 encoding of the input text.

How do I verify a file's SHA-256 checksum from the command line?

On macOS: shasum -a 256 filename. On Linux: sha256sum filename. On Windows (PowerShell): Get-FileHash filename -Algorithm SHA256. Compare the output to the published checksum — if they match, the file is intact. Use this tool for a quick in-browser check without the command line.

What is the difference between a hash and an encryption?

Hashing is one-way: you cannot recover the input from the hash. Encryption is two-way: encrypted data can be decrypted with the right key. Hashes are used for integrity verification, password storage, and digital signatures. Encryption is used for confidentiality — protecting data so only authorized parties can read it. Never use hashing where encryption is needed, and never use encryption where a hash is needed.

Can I hash a large file?

Yes. Switch to File mode, then drag and drop or browse to select your file. The tool uses the browser's Blob API to read and hash the file in chunks using the Web Crypto API. Practical limits depend on your browser's memory: most modern browsers handle files up to several gigabytes. For very large files (100GB+), command-line tools like sha256sum are more appropriate.

Should I use SHA-256 or SHA-512 for password hashing?

Neither directly. For password hashing, use bcrypt, scrypt, or Argon2 — these are key derivation functions (KDFs) designed specifically for passwords. They incorporate salting and intentional computational cost to slow down brute-force attacks. SHA-256 and SHA-512 are too fast for password hashing: a GPU can compute billions of SHA-256 hashes per second, making brute-force feasible against unsalted hashes.