Hash Generator

Generate cryptographic hashes for text and files

strong medium 256 bits

256-bit hash (current standard)

Enter text above to generate cryptographic hashes

Security Configuration

Salt Configuration

Security Recommendations

Performance Benchmarks

Average time per hash operation (1000 iterations)

AlgorithmTimeSpeed
MD5N/Amsfast
SHA-1N/Amsfast
SHA-256N/Amsmedium
SHA-512N/Amsslow
SHA-384N/Amsmedium

Operation History

No hash history yet. Start generating hashes to build your audit trail!

How to generate hashes online?

Generate secure cryptographic hashes with our professional hash generator. Support for MD5, SHA-1, SHA-256, SHA-512, and more. Perfect for data integrity verification, password hashing, and security applications with real-time generation and validation.

Features

  • Five algorithms via the Web Crypto SubtleCrypto API: MD5 (where supported), SHA-1 (RFC 3174), SHA-256, SHA-384, and SHA-512 (FIPS 180-4 / RFC 6234)
  • Hex-encoded digest output with the canonical lowercase byte sequence used by openssl, sha256sum, and Git
  • Optional salt: 32-character cryptographically random salt by default, or paste your own custom salt for reproducible test vectors
  • Auto-hash mode that recomputes as you type for inputs up to 100 characters, with a manual generate button for longer payloads
  • Side-by-side comparison: when MD5/SHA-1/SHA-384/SHA-512 is selected, SHA-256 is generated alongside so you can spot which legacy hashes match modern ones
  • Per-algorithm benchmark mode running 1000 iterations to show real per-hash latency on your hardware
  • Hash history with timestamps and input length, persisted in localStorage (capped at 50 entries, scrubbed on clear)
  • Inline security recommendations that flag deprecated algorithms (MD5, SHA-1) and missing salts for password contexts
  • Strength badges sourced from each algorithm's NIST classification: deprecated, weak, medium, strong, very-strong

How to use

  1. Paste or type the text you want to hash into the input area; auto-hash kicks in for short inputs while longer payloads wait for the Generate button.
  2. Pick an algorithm from the dropdown — SHA-256 is the default and the right choice for general integrity checks, signatures, and Git-style fingerprints.
  3. If you are hashing a password or token, leave Use Salt enabled and either accept the random 32-char salt or paste your own custom salt for reproducibility.
  4. Click Generate (or wait for auto-hash) and read the digest as a lowercase hex string ready to compare against `sha256sum`, `openssl dgst`, or a backend.
  5. Open Benchmarks if you want to see per-algorithm timing on your machine, useful when choosing between SHA-256 and SHA-512 for high-throughput code paths.
  6. Use Copy to grab the digest, or open History to revisit recent inputs and outputs without retyping.

Tips & Best Practices

  • All processing happens locally in your browser — your data never leaves your device.
  • Never share sensitive tokens or passwords in unencrypted channels.
  • Regularly rotate your secrets, keys, and passwords for better security.
  • Use strong, unique values for each service or application.
  • Verify the output before using it in production environments.

FAQ

Is MD5 still safe to use anywhere?

MD5 (RFC 1321) is broken for collision resistance — Wang et al. demonstrated practical collisions in 2004 and chosen-prefix collisions are now trivial. It is unsafe for digital signatures, certificate fingerprints, password hashing, or any adversarial integrity check. It is still acceptable for non-adversarial checksums like detecting accidental file corruption or comparing inputs in cache keys, but new code should default to SHA-256.

Does anything I hash leave my browser?

No. All hashing runs through the browser's Web Crypto API (`window.crypto.subtle.digest`), which executes in the renderer process on your device. There is no network request to our servers, no analytics on input content, and no persistent storage of plaintext beyond localStorage history that you control. Closing the tab or clearing history removes everything.

Should I use this for password hashing?

No. Plain SHA-256 or SHA-512 is too fast for passwords — an attacker with a GPU can compute billions of guesses per second. For passwords, use a memory-hard KDF such as Argon2id, scrypt, or bcrypt with a per-user salt and a tuned cost factor. This tool is appropriate for file integrity, deterministic IDs, content-addressed storage, and HMAC building blocks, not credential storage.

Why might MD5 fail in my browser?

Web Crypto only mandates SHA-1, SHA-256, SHA-384, and SHA-512. MD5 support varies — Chromium-based browsers expose it on some platforms, Firefox does not. When SubtleCrypto rejects MD5 the tool falls back to a non-cryptographic stand-in for display purposes only; for real MD5 checksums on sensitive workflows use `md5sum` locally or a server-side library.

Why are my hash bytes shown as hex instead of Base64?

Lowercase hex is the lingua franca of CLI tools (`sha256sum`, `openssl dgst -sha256`, Git commit IDs, ETags) and matches how databases and logs typically store digests. If you need Base64 (e.g., for Subresource Integrity attributes), pipe the hex through a Base64 encoder — every two hex chars become one byte before encoding.

What's the difference between SHA-256 and SHA-512 for my use case?

Both are members of the SHA-2 family (FIPS 180-4) with no known practical attacks. SHA-512 produces a 512-bit digest and is faster than SHA-256 on 64-bit CPUs because it operates on 64-bit words natively. SHA-256 is the de facto default for blockchain, TLS, and code signing. Pick SHA-512 for high-throughput backend hashing on modern x86_64/ARM64; pick SHA-256 for interoperability.

Does adding a salt change the digest format?

Salt is concatenated with the input before hashing, so the output is still the standard 32/40/64/96/128 hex characters of the chosen algorithm. The salt itself is not encoded into the hash — you must store it separately if you need to verify later. This matches the pattern used by libsodium and most password-hashing libraries before they adopted self-describing PHC string formats.

Can I use these hashes for Git or content addressing?

The SHA-1 output here matches Git's object IDs in legacy repositories, and SHA-256 matches the format used by SHA-256 Git, IPFS multihashes (after multibase encoding), and OCI image digests. Note that Git hashes the content with a `blob <length>\0` header prefix, so a raw SHA of file contents will not match `git hash-object` output unless you replicate the header.

Related Tools

Password GeneratorJWT Decoder & VerifierPassword Strength CheckerSecure Note SharerFile Hash VerifierJWT GeneratorCSP Header GeneratorText Encrypt/DecryptSRI Hash GeneratorX.509 / SSL Certificate DecoderPGP Encrypt, Decrypt & Generate KeysIP Address FinderCSV Cleaner & NormalizerMarkdown PreviewerAPI Rate Limiting CalculatorXML ⇄ JSON ConverterCSV ⇄ JSON ConverterUnit Converter