Hash Generator (MD5 / SHA family)

Hash any text with MD5, SHA-1, SHA-256, SHA-384, and SHA-512 in one go. All hashing happens in your browser.

Text to hash

Uppercase

MD5—

SHA-1—

SHA-256—

SHA-384—

SHA-512—

What is a cryptographic hash?

A cryptographic hash function takes an arbitrary input and produces a fixed-length output called a digest. The function is deterministic (same input always produces the same digest), efficient to compute, and infeasible to invert — given a digest you cannot practically reconstruct the input. Two inputs producing the same digest is called a collision; a good hash function makes collisions essentially impossible to find.

This tool computes five standard digests at once. SHA-1, SHA-256, SHA-384, and SHA-512 are computed using the browser's Web Crypto API, which delegates to the same vetted implementations the rest of the platform uses. MD5 is computed by a hand-written port of RFC 1321 because Web Crypto deliberately omits MD5 — it is considered cryptographically broken and is offered here only for compatibility with legacy systems such as Apache htpasswd files or old API checksums.

Use cases

Generate file or content checksums for cache busting and integrity checks.
Compute the SHA-256 of an email address before sending it to an analytics endpoint that expects hashed PII.
Verify that a message you received matches the digest published by the sender.
Produce content-addressed identifiers for documents stored in S3 or IPFS.
Generate stable cache keys for memoised API responses.

Best practices

Do not use MD5 or SHA-1 for any security-sensitive purpose — both are broken against collision attacks.
For password storage use a slow KDF such as bcrypt, scrypt, or Argon2 instead of a raw hash.
When hashing user input always normalise (trim, lowercase) consistently on both sides.
Choose SHA-256 as the default for new applications; step up to SHA-512 only if you are constrained by an external spec.

Reference

Algorithm	Output length / status
MD5	128 bits (32 hex). Broken — do not use for security.
SHA-1	160 bits (40 hex). Broken — do not use for security.
SHA-256	256 bits (64 hex). Recommended general-purpose hash.
SHA-384	384 bits (96 hex). Common in TLS suites.
SHA-512	512 bits (128 hex). Marginally stronger, larger output.

Frequently asked questions

Why is MD5 still here if it is broken?

MD5 is broken for collision resistance and must not be used for security, but legacy systems still rely on it for non-security checksums. We include it for compatibility with those systems.

Is the input sent anywhere?

No. SHA hashes are computed by your browser's Web Crypto API; MD5 by JavaScript bundled into the page. Nothing leaves your device.

Can I hash a file?

This tool hashes text. To hash a file you would need a file picker; in the meantime, drag the file contents into a terminal and pipe through shasum -a 256.

Why are the digests shown in lowercase hex?

Lowercase hex is the conventional representation in Unix and modern crypto libraries. Toggle uppercase if you need parity with PowerShell or .NET output.

What hash should I use for passwords?

None of these. Use a memory-hard, deliberately slow KDF such as Argon2, bcrypt, or scrypt. A fast hash makes brute-forcing passwords cheap.