Client-side utility
Hash Generator - MD5, SHA-1, SHA-256, SHA-384, SHA-512 in your browser
Free online hash calculator. Compute MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 digests of any text instantly. All hashing runs locally in your browser - your input is never sent to a server, making it safe for API keys, passwords, and other sensitive data.
6 algorithms
Auto updates
Copy each result
Input
Hashes refresh while you type. Whitespace and line breaks are included exactly as entered.
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
Algorithm comparison
Side-by-side comparison of MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 with output sizes, security status, and recommended use cases.
MD5
Insecure
SHA-1
Compromised
SHA-224
Secure
SHA-256
Secure
SHA-384
Secure
SHA-512
Secure
How hash functions work
A hash function takes any input - a single character or an entire file - and produces a fixed-length string called a digest. Feed the same input twice and you always get the exact same output. Change even one byte and the digest changes completely. This is the avalanche effect.
Hashing is a one-way operation: there is no mathematical inverse that reconstructs the original input from its digest. That property makes hashes useful for verifying file integrity without storing the file itself, and for confirming a password matches without ever saving the plaintext.
Collision resistance is what separates modern algorithms from deprecated ones. A collision occurs when two different inputs produce the same digest. MD5 and SHA-1 are vulnerable to crafted collisions, which is why they are no longer trusted for security-sensitive tasks. SHA-256 and above have no known practical collisions.
Choosing the right algorithm
- MD5 Only for non-security checksums where legacy tools require it. Never for passwords or signatures.
- SHA-1 Avoid for new projects. Acceptable only when interoperating with systems that have not yet migrated.
- SHA-256 The safe default for most uses: file verification, API request signing, HMAC keys.
- SHA-512 Prefer when building a password-hashing pipeline or when a larger digest is needed for extra margin.
- SHA-384 Use for browser subresource integrity (SRI) attributes and TLS 1.3 compatible cipher negotiation.
- SHA-224 Niche use in constrained devices or protocols with a hard limit on digest size.
frequently asked
Frequently asked questions
Common questions about hash functions and how to use them safely.
No. Hash functions are one-way by design - there is no mathematical inverse that reconstructs the original input from its digest. What looks like 'cracking' a hash is actually a guessing attack: an attacker hashes millions of candidate inputs (dictionary lookup, rainbow table, or brute-force search) and checks for a matching digest. They find an input that produces the same hash, not the original text. The only practical defenses against this are using a strong algorithm (SHA-256+), a long input, and a per-input salt for stored passwords.
No - use a password hashing function instead. MD5 and SHA-256 are general-purpose digest algorithms designed to be fast, which is exactly the wrong property for password storage because attackers can compute billions of guesses per second on a GPU. For passwords, use a purpose-built slow KDF such as bcrypt, scrypt, or Argon2 (the OWASP and NIST recommended choices). These functions add tunable computation cost, memory hardness, and a per-password salt, which makes offline cracking economically impractical even after a database leak.
No. All hashing in this tool runs entirely in your browser using the CryptoJS library, and the input never leaves your device. The server only serves the static HTML, CSS, and JavaScript - it sees no inputs, hashes, or metadata about what you typed. This makes the tool safe for hashing sensitive values such as API keys, configuration secrets, file fingerprints, or strings you need to verify against a known digest.
A hash collision occurs when two different inputs produce the same digest. Collisions are mathematically unavoidable because hash outputs are fixed-length while inputs are unlimited, but a secure algorithm makes finding one computationally infeasible - this is called collision resistance. MD5 (broken in 2004) and SHA-1 (broken in 2017) have practical collision attacks, meaning an attacker can construct a malicious file or TLS certificate that matches the digest of a legitimate one. SHA-256, SHA-384, and SHA-512 have no known practical collisions and remain the current standard for digital signatures, certificates, blockchains, and file integrity checks.
MD5 is the fastest of the six algorithms here, followed by SHA-1, then SHA-256/SHA-224, then SHA-384/SHA-512. Speed scales with digest size and round count - larger digests do more work per input. On modern x86-64 hardware, MD5 hashes around 700 MB/s per core, SHA-256 around 400 MB/s, and SHA-512 around 600 MB/s (because SHA-512 uses 64-bit words that process more data per round). For password hashing the speed ranking is reversed: you want the slowest algorithm available, which is why bcrypt, scrypt, or Argon2 are used instead.
Hashing is a one-way transformation: the digest cannot be reversed to recover the input. Encryption is a two-way transformation: the ciphertext can be decrypted back to the plaintext using a key. Use hashing when you need to verify integrity (file checksums, password storage, digital signatures) or fingerprint data. Use encryption when you need to retrieve the original content later, such as protecting a message in transit (TLS, HTTPS) or at rest (disk encryption). The two are often combined - signing a message uses a hash plus encryption of that hash with a private key.
MD5 and SHA-1 are still useful for non-security use cases such as file integrity checks against accidental corruption, deduplication, ETags in HTTP caching, and verifying legacy systems that have not migrated yet. They are unsafe for any security-sensitive purpose - password storage, digital signatures, certificate fingerprints, or message authentication. Treat them as a checksum, not a security primitive.
Each algorithm produces a fixed-length digest regardless of input size. MD5: 128 bits / 32 hex characters. SHA-1: 160 bits / 40 hex characters. SHA-224: 224 bits / 56 hex characters. SHA-256: 256 bits / 64 hex characters. SHA-384: 384 bits / 96 hex characters. SHA-512: 512 bits / 128 hex characters. The hex representation is twice the byte count because each byte is two hex characters.
More privacy tools
Everything you need to share private data safely - free, no account, runs in your browser.
Encrypted messaging
SecretNote
Write a private note, generate a one-time link, and share it. The note self-destructs the moment it is read - nothing is stored, nothing leaks.
Burns after reading
AES-256 encrypted
No account needed
Create a secret note
Screenshot sharing
SecretScreen
Upload a screenshot and get a self-destructing share link. The image is encrypted before upload and deleted after the first view - no permanent hosting.
View once
Multiple screenshots
No account needed
Share a screenshot
Secure file transfer
SecretFile
Upload any file and share a one-time download link. The file is encrypted end-to-end and permanently deleted after the recipient downloads it.
One-time download
Auto-expires
No account needed
Send a secret file
Client-side utility
Hash Generator
Instantly generate MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 hashes in your browser. Your input is never sent to the server.
6 algorithms
Live output
No account needed
Generate a hash
Client-side security tool
Password Generator
Generate strong, random passwords with full control over length and character sets. Everything runs locally - your passwords never touch a server.
Cryptographically random
Fully customisable
No account needed
Generate a password