Hash Generator — MD5, SHA-1, SHA-256, SHA-384 & SHA-512

Generate cryptographic hashes from text or files directly in your browser. All five algorithms computed instantly and locally — nothing is uploaded. Works offline once the page has loaded.

0 characters
Output format
Hashes
MD5
SHA-1
SHA-256
SHA-384
SHA-512

Free Hash Generator — MD5, SHA-1, SHA-256, SHA-384 and SHA-512

This is a free online hash generator that computes cryptographic hashes from any text or file directly in your browser. Paste or type text and the five most common algorithms — MD5, SHA-1, SHA-256, SHA-384, and SHA-512 — update instantly as you type. Switch to File mode to drop a document, image, installer, or archive and get the same five hashes without the bytes ever leaving your device.

SHA algorithms run through the Web Crypto API (crypto.subtle.digest), the same primitive your browser uses for TLS. MD5 runs through a self-contained JavaScript implementation because browsers no longer expose MD5 natively. Files are read locally through the FileReader API, so even gigabyte-scale files are hashed without an upload.

Which hash algorithm should you use?

SHA-256 — the modern default

If you’re not sure which one to pick, use SHA-256. It’s fast, universally supported, and cryptographically secure for every mainstream use case — verifying file downloads, computing Subresource Integrity values, building content-addressed storage, signing tokens, and generating stable fingerprints of data. SHA-256 is the algorithm behind Git’s new object format, Bitcoin, TLS certificates, and most modern APIs.

SHA-384 and SHA-512 — longer digests

SHA-384 and SHA-512 produce longer outputs (96 and 128 hex characters respectively) and are mandated by some protocols and compliance regimes — for example, TLS 1.3 cipher suites, JWT HS384/HS512 signatures, and certain government standards. On 64-bit hardware, SHA-512 is often faster than SHA-256 because it processes 64-bit words natively. Use them when a spec tells you to; otherwise SHA-256 is plenty.

SHA-1 — legacy only

SHA-1 has been broken for collision resistance since 2017 (the SHAttered attack). Don’t use it for anything where an attacker picks the input — no signatures, no certificates, no security checks. It’s still fine for verifying legacy artifacts that were hashed with SHA-1 before the break: older Git commits, historical TLS fingerprints, and non-adversarial file checksums.

MD5 — checksums only

MD5 has been broken since 2004 and must not be used for anything security-sensitive. It is, however, still perfectly reasonable for non-adversarial integrity checks: verifying a trusted download matches the publisher’s advertised MD5, deduplicating files from a source you trust, or generating cache keys. Never hash passwords or sign documents with MD5.

How to use this hash generator

Hashing text

  1. Stay on the Text tab (the default).
  2. Paste or type into the text area. All five hashes update live as you type.
  3. Optionally toggle UPPERCASE or Base64 (not hex) to match the format you need.
  4. Click Copy next to any row, Copy all to grab the full set, or Download .txt to save a copy.

Hashing a file

  1. Switch to the File tab.
  2. Drop a file onto the drop zone or click to browse.
  3. The tool reads the file locally and computes all five hashes. Nothing is uploaded.
  4. Compare the generated SHA-256 (or whichever algorithm the publisher uses) against the value on their website. Matching strings confirm an untampered download.

Hex vs. Base64 — which format do you need?

Hex is the default and is what you’ll see on most “verify this download” pages — each byte becomes two hex digits, so a SHA-256 is 64 characters long. Base64 encodes the same bytes more densely (three bytes per four characters) and is what you’ll see in HTTP Subresource Integrity (integrity="sha256-…"), Content-Security-Policy headers, JWT signatures, and many TLS certificate fingerprints. Toggle Base64 (not hex) when the spec you’re following calls for it.

Common use cases

  • Verify file downloads — compare the generated SHA-256 against the publisher’s published value to confirm the file wasn’t tampered with or corrupted.
  • Subresource Integrity (SRI) — generate a Base64 SHA-256 or SHA-384 to drop into a <script integrity="sha384-…"> tag.
  • Git object hashes — compute the SHA-1 or SHA-256 of a file to compare against Git’s object store.
  • Deduplication — hash each file in a set and treat matching digests as duplicates.
  • Cache keys — turn a long input (a URL, a JSON payload) into a fixed-length key for a cache lookup.
  • Content addressing — generate stable IDs for immutable blobs in object storage or a CDN.

What this tool is not for

Don’t use raw MD5, SHA-1, or SHA-256 to store passwords. Password hashing requires a slow, memory-hard algorithm with a per-user salt — Argon2id, scrypt, or bcrypt. Plain SHA-256 is designed to be fast, which is exactly the opposite of what you want when an attacker has stolen your password database and wants to brute-force it on a GPU. This tool is built for fingerprinting data, not credential storage.

Privacy and offline use

Everything runs locally in your browser. Text and file bytes never leave your device, nothing is logged or cached on a server, and there are no analytics on your input. Once the page has loaded you can disconnect from the internet and the hash generator keeps working — useful when you’re verifying a sensitive download and don’t want the contents to leave your machine.

FAQ

Frequently Asked Questions

A hash is a fixed-length fingerprint of some input data. Feed in any text or file and the algorithm spits out a string of a fixed length (32 hex characters for MD5, 64 for SHA-256, 128 for SHA-512). Change a single byte of the input and the output is completely different. Hashes are used to verify file integrity, detect duplicates, create digital signatures, and (properly salted) store passwords.

For general-purpose fingerprinting of files or data, SHA-256 is the modern default — fast, widely supported, and secure. Use SHA-384 or SHA-512 if you need a longer digest for protocols that require it. Use SHA-1 only when verifying older artifacts (git, legacy TLS). Use MD5 only for non-security checksums like file integrity where you trust the source — MD5 is broken for anything adversarial.

MD5 has been broken for collision resistance since 2004, meaning an attacker can craft two different inputs that produce the same MD5. That rules it out for digital signatures, certificates, and any security context where an adversary picks the input. It is still fine for non-adversarial checksums: verifying a file you downloaded matches the publisher's published MD5, deduplication in trusted data, and cache keys. Do not use MD5 to hash passwords.

No, not directly. Plain SHA-256 or SHA-512 is far too fast to safely store passwords — an attacker who steals your database can brute-force billions of guesses per second on a GPU. Password hashing needs a slow, memory-hard algorithm like Argon2, scrypt, or bcrypt, with a per-user salt. This tool is for fingerprinting data, not password storage. If you need a password, use our password generator instead.

Yes. Text hashing uses the Web Crypto API (crypto.subtle.digest) for SHA algorithms and a self-contained MD5 implementation in JavaScript. Files are read locally through the browser FileReader API — the bytes never leave your device. Nothing is uploaded, logged, or cached server-side. You can disconnect from the internet after the page loads and the tool keeps working.

Hex is the default — each byte becomes two hex digits, so SHA-256 becomes 64 characters of 0-9/a-f. Base64 packs the same bytes more densely (three bytes per four characters), so the same hash becomes only 44 characters. Base64 is common in HTTP headers (Subresource Integrity, Content-Security-Policy), JWT signatures, and TLS certificate fingerprints. Toggle the "Base64" format to switch.

Switch to File mode, drop or pick the downloaded file, and compare the generated SHA-256 (or whichever algorithm the publisher used) against the hash on the publisher's website. If the two strings match character-for-character, the file has not been modified in transit and matches the publisher's version. If even one character differs, do not run the file — it has been altered or corrupted.

Most modern browsers handle multi-gigabyte files without issues, but the whole file has to fit in memory at once because we read the full ArrayBuffer before hashing. For very large files (over 2-4 GB) you may run into browser memory limits. For typical use cases — documents, images, audio, video, installers — you will not notice any slowdown.