Security
Free Hash Generator Online
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from any text.
What is a hash function?
A cryptographic hash function takes any input and produces a fixed-length string called a digest. The same input always produces the same output, but you cannot reverse the process — you cannot reconstruct the original input from the hash alone. This property makes hashes useful for data integrity verification, digital signatures, and checksums.
Two critical properties of a secure hash function are collision resistance — it should be computationally infeasible to find two different inputs that produce the same hash — and pre-image resistance — given a hash, you cannot find the original input. SHA-256 and SHA-512 satisfy both properties; SHA-1 does not (it has known collision vulnerabilities).
For message authentication, use HMAC (Hash-based Message Authentication Code) — a construction that combines a hash function with a secret key to verify both integrity and authenticity of a message. HMAC-SHA256 is the standard for API request signing.
This tool uses the Web Crypto SubtleCrypto API to compute hashes locally in your browser. All four SHA variants are generated simultaneously — no server call, no data stored.
How to generate a hash
- 1Enter your text
Type or paste any text into the input field. You can hash a single word, a paragraph, an API key, or any string.
- 2Click Generate
All four hash algorithms (SHA-1, SHA-256, SHA-384, SHA-512) are computed simultaneously. Press ⌘↵ (Mac) or Ctrl+↵ (Windows) as a keyboard shortcut.
- 3Choose uppercase if needed
Toggle Uppercase output to get the hash in uppercase hex characters. Both formats are identical in value — some systems require one or the other.
- 4Copy the hash you need
Click Copy next to any algorithm to copy just that hash to your clipboard.
SHA-1 vs SHA-256 vs SHA-512 — which to use?
| Algorithm | Output length | Security | Use case |
|---|---|---|---|
| SHA-1 | 160 bits / 40 hex chars | ⚠️ Deprecated | Legacy systems only — do not use for new projects |
| SHA-256 | 256 bits / 64 hex chars | ✅ Current standard | File integrity, API signing, TLS certificates, Git commits |
| SHA-384 | 384 bits / 96 hex chars | ✅ Strong | TLS 1.2/1.3 cipher suites, intermediate security requirement |
| SHA-512 | 512 bits / 128 hex chars | ✅ Strongest | High-security applications, 64-bit systems (faster than SHA-256) |
For most purposes, SHA-256 is the right choice. It is the current NIST standard, used by TLS, code signing, and the majority of modern APIs.
⚠️ Don't use SHA for password hashing
SHA algorithms are designed to be fast — which makes them unsuitable for storing passwords. Fast hashing means an attacker can try billions of guesses per second. For passwords, use slow dedicated algorithms: bcrypt, Argon2, or scrypt. These are intentionally slow and include salting by design.
File integrity verification with checksums
One of the most common practical uses for SHA hashing is verifying that a downloaded file has not been corrupted or tampered with. Software distributors publish a SHA-256 checksum alongside their download. After downloading, you hash the file locally and compare the result to the published value. If they match, the file is authentic and intact.
This works because even a single bit change in the file produces a completely different hash — a property called the avalanche effect. Changing one character in a 1 MB file will produce a hash with no resemblance to the original. You can verify file integrity on the command line:
shasum -a 256 downloaded-file.zip # Compare output to the published checksum
Get-FileHash downloaded-file.zip -Algorithm SHA256 # Compare output to the published checksum
Common hashing use cases in software development
Hash functions in everyday web development
Cryptographic hashes appear throughout the web stack in ways that are easy to overlook. Understanding where and why hashes are used helps you make better security and architecture decisions:
Every commit, tree, blob, and tag in Git is identified by a SHA-1 hash of its content. This is why commit IDs look like 3a1b9f4... — they are SHA-1 digests. Git is migrating to SHA-256 for new repositories to address SHA-1's theoretical vulnerabilities.
HTTP ETags often contain an MD5 or SHA hash of the response body. When a browser makes a conditional GET request with If-None-Match, the server computes the current hash and compares it to the ETag. If they match, the server returns 304 Not Modified and saves bandwidth.
Platforms like npm, Docker, and IPFS identify packages and files by their SHA hash rather than by name and version alone. This makes it impossible to silently modify content at a URL — the hash of the file must match the expected hash, or the download is rejected. It prevents supply chain attacks.
When loading external JavaScript or CSS from a CDN, the integrity attribute contains a Base64-encoded SHA-384 or SHA-512 hash: <script src="..." integrity="sha384-...">. Browsers verify the downloaded file against this hash before execution. If the CDN is compromised, the modified file's hash will not match and the script will not run.
APIs like AWS, Stripe, and GitHub use HMAC-SHA256 to sign requests. The client computes HMAC(secret_key, request_content) and includes the result in a header. The server recomputes the HMAC and verifies it matches, proving the request came from someone with the secret key and that the body was not tampered with in transit.
Build tools like Webpack, Vite, and Parcel append a content hash to asset filenames: main.3b82f6a.js. This enables aggressive caching (the file's URL changes only when its content changes) while ensuring users always get the latest version after a deployment.
How to choose the right hash algorithm
Not all hash functions serve the same purpose. The right choice depends on your threat model, performance requirements, and the ecosystem you are working in:
For data integrity verification (file checksums, download verification, ETags): SHA-256 is the standard. It is fast, universally supported, and provides strong collision resistance. SHA-512 offers marginally more security with similar performance on 64-bit hardware. MD5 and SHA-1 are acceptable only for non-security checksums in a trusted internal system, never for integrity guarantees against a malicious actor.
For API request signing and token verification: Use HMAC-SHA256. Plain SHA-256 without a key is vulnerable to length extension attacks — an attacker can append data to a message and forge a valid hash without knowing the secret. HMAC prevents this by incorporating the key into the computation in a way that resists extension.
For deduplication and content addressing: SHA-256 is the default. If performance is critical and collision resistance requirements are lower (non-adversarial context), faster non-cryptographic hashes like xxHash or MurmurHash can be used, but these should never be used where security is a concern.
For passwords: Use bcrypt, Argon2id, or scrypt — never SHA-256 or any fast hash. Password hashing algorithms are deliberately slow and use salting to prevent rainbow table attacks. A GPU can compute billions of SHA-256 hashes per second, making unsalted SHA-256 passwords trivially crackable. Argon2id is the current OWASP recommendation for new projects.
FAQ
Common questions
What is a hash function?
A hash function takes any input and produces a fixed-length string called a digest. The same input always produces the same output, but you cannot reverse the process to recover the original text from the hash.
What is the difference between SHA-1, SHA-256, and SHA-512?
They differ in output length and security. SHA-1 (160-bit) is deprecated for security use. SHA-256 (256-bit) is the current standard for most applications. SHA-512 (512-bit) offers higher security and is faster on 64-bit systems.
Can I use this to hash passwords?
No. SHA functions are fast by design, making them unsuitable for password storage. For passwords, use bcrypt, Argon2, or scrypt — slow hashing algorithms designed to resist brute-force attacks.
What are hashes used for?
File integrity verification (checksums), digital signatures, data deduplication, API request signing (HMAC), storing non-sensitive identifiers, and verifying downloaded files.
Is my data safe?
Yes. All hashing is done locally in your browser using the Web Crypto API. Nothing is transmitted to any server.
What is the difference between hashing and encryption?
Hashing is one-way — you cannot recover the original input from a hash. Encryption is two-way — with the right key you can decrypt back to the original. Use hashing to verify integrity (checksums, passwords). Use encryption to protect data that must be recovered later (stored secrets, transmissions).
What is MD5 and why should I avoid it?
MD5 produces a 128-bit hash and was widely used through the 1990s. It is now considered cryptographically broken — MD5 collisions (two different inputs producing the same hash) can be generated in seconds. Avoid MD5 for any security purpose. It is still acceptable for non-security use cases like basic file change detection in trusted environments.
How do I verify a downloaded file using a hash?
After downloading the file, generate its SHA-256 hash and compare it against the checksum published by the software provider. On macOS/Linux: shasum -a 256 filename. On Windows PowerShell: Get-FileHash filename -Algorithm SHA256. If the hashes match exactly, the file is authentic and unmodified. A single character difference means the file is corrupted or tampered with.
More in Security