Hash Generator (MD5/SHA-1/SHA-256/SHA-512)
Paste text or drop a file and get its MD5, SHA-1, SHA-256, SHA-384, and SHA-512 digests side by side. Everything is computed locally with the Web Crypto API (plus an embedded MD5 routine), so the input never leaves your browser — safe even for files you can't upload to a random website. On load the tool self-tests against the published empty-string vectors, so you can trust what it prints.
0 bytes (UTF-8). Note: a trailing newline or CRLF vs LF line endings change the hash.
How to use the hash generator (md5/sha-1/sha-256/sha-512)
- Choose Text mode and type or paste your input — all five hashes update live as you type.
- Or switch to File mode and drop a file (an ISO, a ZIP, an installer) to hash its exact bytes.
- Compare the result against the checksum published by the download page, character for character.
- Use the copy button on any row; toggle UPPERCASE if the published checksum uses capital hex.
Which hash for which job
A cryptographic hash maps any input to a fixed-size fingerprint: MD5 produces 128 bits (32 hex characters), SHA-1 produces 160 bits (40 hex), SHA-256 produces 256 bits (64 hex), and SHA-512 produces 512 bits (128 hex). The right choice depends on whether an attacker is part of your threat model:
- Integrity checks against accidental corruption (did the download finish? did the backup copy correctly?): any algorithm works, including MD5 — random bit flips have a 1 in 2128 chance of colliding.
- Integrity against tampering (could someone have swapped the file?): use SHA-256 or SHA-512. MD5 and SHA-1 collisions can be manufactured, so a tampered file can be made to match an MD5 checksum.
- Password storage: none of these. Fast hashes are exactly what attackers want — a single GPU can attempt billions of MD5 or SHA-256 guesses per second. Store passwords with bcrypt, scrypt, or Argon2, which are deliberately slow and salted. If you need an Apache basic-auth file, our .htpasswd generator uses bcrypt.
Verifying a download's checksum, step by step
Suppose a project publishes sha256: 9f86d081…00a08 next to its installer. Drop the downloaded file into File mode above and compare. To cross-check with your operating system:
- Windows:
certutil -hashfile installer.exe SHA256in Command Prompt, orGet-FileHash installer.exein PowerShell (SHA-256 is its default). - macOS:
shasum -a 256 installer.dmg - Linux:
sha256sum installer.AppImage
Compare the full string, not just the first few characters — partial matches are exactly what a collision attack produces. For a quick sanity check, the SHA-256 of the three bytes abc is ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad; type abc into the tool and confirm.
The honest history of MD5 and SHA-1
MD5 was published in 1992 and broken in practice in 2004, when researchers produced two different inputs with the same digest in hours on commodity hardware. By 2008 a team used MD5 collisions to forge a working rogue certificate authority, and the 2012 Flame malware forged a Microsoft code-signing certificate the same way. Today an MD5 collision costs seconds on a laptop. MD5 survives only as a fast checksum for detecting accidental corruption — a job it still does fine.
SHA-1 lasted longer: theoretical breaks appeared in 2005, and in 2017 Google and CWI Amsterdam published SHAttered, two real PDF files with identical SHA-1 digests, at a cost of roughly 110 GPU-years (thousands of dollars at cloud prices, and falling). The 2019 chosen-prefix improvement made forged certificates practical. Git is migrating object hashing to SHA-256, and all browsers rejected SHA-1 TLS certificates years ago. The SHA-2 family (SHA-256/384/512) has no known practical collision attack as of 2026.
Frequently asked questions
Is it safe to hash sensitive text or files here?
Yes. Hashing runs entirely in your browser: SHA variants use the built-in Web Crypto API (crypto.subtle.digest) and MD5 uses a small JavaScript routine on this page. Nothing is transmitted — you can load the page, disconnect from the internet, and it still works.
Why does the same text give a different hash than on my server?
Almost always line endings or trailing whitespace. Windows files use CRLF (\r\n) while Unix uses LF (\n), and 'hello\n' hashes completely differently from 'hello'. Encoding matters too: this tool hashes the UTF-8 bytes of your text, so non-ASCII characters will differ from a Latin-1 hash of the same string.
Can I decrypt or reverse an MD5 or SHA-256 hash?
No — hashes are one-way functions, not encryption; the original data is mathematically unrecoverable from the digest. Sites that claim to 'decrypt MD5' just look the hash up in precomputed tables of common inputs. That lookup trick is precisely why unsalted fast hashes are unacceptable for passwords.
Which algorithm should I use to verify a downloaded file?
Use whichever the publisher provides, but prefer SHA-256 when offered. If only MD5 is published it still catches corrupted downloads, just not deliberate tampering. Comparing both an MD5 and a SHA-256 simultaneously — which this tool computes anyway — makes a manufactured collision practically impossible.
Is there a file size limit?
The Web Crypto API needs the entire file in memory as one buffer, so the practical ceiling is your browser's memory — the tool warns above roughly 500 MB. For multi-gigabyte ISOs, use your OS's command line (certutil, shasum, sha256sum), which streams the file instead.
Why are MD5 and SHA-1 labeled 'checksums only'?
Both have practical collision attacks: an attacker can construct two different files with the same digest (MD5 since 2004, SHA-1 since 2017's SHAttered attack). They remain fine for detecting accidental corruption, but should never back signatures, certificates, password storage, or any security decision.
Related tools
- .htpasswd GeneratorGenerate .htpasswd lines for Apache and nginx basic auth — bcrypt or MD5-crypt hashes computed locally, your password never touches a server.
- chmod Permissions CalculatorConvert Linux file permissions between octal and symbolic instantly — check rwx boxes to get chmod 755-style commands with clear explanations.
- Base64 ⇄ Image ConverterConvert Base64 to an image and images to Base64 data URIs in your browser — instant preview, PNG, JPG, WebP and SVG support, nothing uploaded.
- JSON Escape / UnescapeEscape text for JSON strings or unescape JSON back to plain text — quotes, backslashes, newlines, and unicode handled correctly both ways.
- Aspect Ratio CalculatorCalculate aspect ratios and missing dimensions — lock 16:9 or any ratio and solve width or height for video, images, and responsive design.
- CSS Box Shadow GeneratorDesign CSS box shadows visually with multiple layers, inset, spread, and color alpha controls — live preview and copy-ready CSS output.
Learn more
- Hashing vs. Encoding vs. Encryption (and When MD5 Is Fine)Hashing is one-way, encoding is reversible, encryption needs a key. Learn which to use, why MD5 still has a place, and why passwords need more than SHA-256.
- Linux File Permissions Explained: What 755 and 644 Actually MeanDecode Linux file permissions and chmod numbers: read/write/execute, owner/group/other, and why 755 and 644 are the defaults you reach for.