Hash Generator Online — Free MD5, SHA-1, SHA-256, SHA-512 Online

Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 digests of any text in your browser. SHA family runs through the Web Crypto SubtleCrypto API; MD5 is included as a pure-JS RFC 1321 implementation for legacy checksum compatibility.

AlgorithmOutput: 64 hex chars

Input Text

SHA-256 Digest (hex)

Click Hash to compute the digest.

What is a Hash Generator?

A hash generator turns arbitrary input into a fixed-size fingerprint — the digest. The same input always yields the same digest, but flipping a single bit in the input scrambles the output entirely (the avalanche property). Hashes underpin Git commits, file checksums, content-addressable storage, blockchain blocks, deduplication, and every TLS certificate signature.

This tool exposes the SHA family (SHA-1, SHA-256, SHA-384, SHA-512) through the browser native crypto.subtle.digest API — the same WebCrypto primitive used by Node, Deno, and Cloudflare Workers. MD5 is included as a pure-JS RFC 1321 implementation so you can verify legacy checksums without leaving the page.

How to generate a hash online — 4 steps

Paste your text. Input is UTF-8 encoded before hashing — the same bytes a Node Buffer or Python str.encode() would produce.
Pick an algorithm. SHA-256 for new work, SHA-512 for extra margin, MD5/SHA-1 only when matching a legacy checksum.
Click Hash. SubtleCrypto computes the SHA digest natively; MD5 runs through a pure-JS implementation. Both finish in under a millisecond for typical text.
Copy the digest. The output is lowercase hex of the expected length — 32, 40, 64, 96, or 128 characters depending on the algorithm.

Sample digests of "hello"

MD5     5d41402abc4b2a76b9719d911017c592
SHA-1   aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
SHA-256 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
SHA-384 59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f
SHA-512 9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043

Five Algorithms

MD5 (legacy), SHA-1, SHA-256, SHA-384, and SHA-512 — every hash you actually encounter in modern dev work, plus the legacy ones for verifying old downloads.

Web Crypto Native

SHA family runs through crypto.subtle.digest, which delegates to platform-optimised native code. Hashing a kilobyte of text is sub-millisecond on any phone.

Nothing Leaves The Tab

Hashing happens entirely in JavaScript on your machine. Plaintext you hash for testing — passwords, secrets, internal payloads — is never transmitted.

Common use cases

check_circleVerifying SHA-256 checksums of downloaded ISO, tarball, or installer files
check_circleComputing MD5 sums to compare against legacy mirrors and S3 ETags
check_circleGenerating ETags or cache keys from response bodies in REST APIs
check_circleChecking Git blob SHAs and verifying file content addresses
check_circleProducing content-addressed identifiers for IPFS, deduplication, and CAS
check_circleComputing HMAC inputs (hash of webhook bodies before signing)
check_circleQuickly diffing two large strings by comparing their digests
check_circleGenerating short fingerprints (first 8-12 hex chars) for human-readable IDs

Hashing is not encryption — and not password storage

A hash is a one-way fingerprint, not a reversible cipher. You cannot "decrypt" SHA-256, but for small input spaces (PINs, dictionary words, leaked password lists) attackers can simply hash every candidate and match. This is why password hashing requires a slow, salted KDF — Argon2id, bcrypt, scrypt, or PBKDF2 with hundreds of thousands of iterations — not raw SHA-256. If you are looking at this tool to figure out how to store a password, do not store the SHA-256: use argon2id or bcrypt in your backend.

Need other crypto-secure generators?

Pair the hash generator with passwords, UUIDs, and random integers — all generated locally in your browser.

Password Generator UUID Generator Random Number Generator

Frequently Asked Questions

What is a hash function?

A hash function maps any input — short or terabyte-long — to a fixed-size fingerprint (the digest). Two key properties: (1) the same input always produces the same output, so you can compare digests to detect changes; (2) for cryptographic hashes (SHA-256, SHA-512), it is computationally infeasible to find two inputs with the same output. Hashes underpin file checksums, Git commits, blockchain blocks, and every TLS handshake.

MD5 vs SHA-1 vs SHA-256 — which should I use?

For new code, use SHA-256 (or SHA-512). MD5 (since 2004) and SHA-1 (since 2017) are broken — researchers have produced collisions, meaning two different files with the same digest. They remain fine for non-security checksums (detecting bit-rot in a download, deduplicating files), but never use them for password hashing, signature verification, or content addressing where an attacker may craft input.

Can I use these hashes for password storage?

No. Password storage requires a slow, salted, memory-hard function — bcrypt, scrypt, Argon2, or PBKDF2 with at least 600,000 iterations. SHA-256 alone is too fast: a modern GPU can try billions of guesses per second against a database of leaked SHA-256 hashes. For password hashing, use Argon2id (preferred) or bcrypt with cost factor ≥ 12 in your backend; never store raw SHA-256 of a password.

Why is MD5 not in Web Crypto?

The W3C deliberately omitted MD5 from SubtleCrypto because it is cryptographically broken — exposing it as a first-class API risks developers using it where SHA-256 is required. We include MD5 here as a pure-JS implementation (about 100 lines of RFC 1321 reference code) so you can verify legacy checksums and interoperate with older systems, with a clear warning above the algorithm picker that MD5 is for non-security use only.

Are hashes reversible?

Cryptographic hashes are one-way — given a digest, you cannot recover the original input. However, hashes are not encryption: if the input space is small (a phone number, a UK postcode, a 6-digit PIN, a known dictionary word), an attacker can simply hash every candidate and look for a match. This is why password hashes need salt + slow KDF, and why hashing PII does not anonymise it.

What is the output size for each algorithm?

MD5 = 128 bits = 32 hex chars. SHA-1 = 160 bits = 40 hex chars. SHA-256 = 256 bits = 64 hex chars. SHA-384 = 384 bits = 96 hex chars. SHA-512 = 512 bits = 128 hex chars. Output is independent of input size — hashing one byte and hashing a one-gigabyte file both produce a digest of the same length.

Can I hash a file?

This page hashes text. To hash a file, drop it into the browser and read it with FileReader.readAsArrayBuffer — then pass the ArrayBuffer directly to crypto.subtle.digest. The same approach scales to multi-gigabyte files using streaming reads. We do not currently expose a file-hash mode here, but the Web Crypto API supports it natively.

Can I verify a checksum with this tool?

Yes — paste the original text, pick the algorithm shown alongside the published checksum (typically SHA-256 for modern releases, MD5 or SHA-1 for older mirrors), and compare the hex output. A character-for-character match means the content is intact. For binary files, use the file-hash workflow described above; the digest is the same regardless of where the bytes came from.