Hash Generator
Generate SHA-1, SHA-256, SHA-384, or SHA-512 hashes from any text. Uses your browser's Web Crypto API — nothing leaves your machine.
Where hashing is used
File integrity verification
Hash a file's content and compare against the published checksum. If they match, the file hasn't been tampered with or corrupted in transit. SHA-256 is the standard for software distribution checksums.
Password hashing (understanding)
SHA-256 alone is not safe for passwords — it's too fast. Password storage requires a slow hash like bcrypt, Argon2, or PBKDF2. Use this tool to understand how hashing works, not for production password storage.
HMAC and API authentication
Many APIs (GitHub webhooks, AWS Signature V4, Stripe) use HMAC-SHA256: a hash of the payload combined with a shared secret. Understanding the underlying hash function helps debug signature verification failures.
Content addressing
Git uses SHA-1 (transitioning to SHA-256) to identify every commit, tree, and blob by content hash. Blockchain transactions use SHA-256. Hashing creates a deterministic fingerprint for any piece of data.
Algorithm comparison
SHA family output sizes and use cases
| Algorithm | Output | Hex chars | Status |
|---|---|---|---|
| SHA-1 | 160-bit | 40 | Deprecated (collisions known) |
| SHA-256 | 256-bit | 64 | Recommended — current standard |
| SHA-384 | 384-bit | 96 | High security, TLS suite |
| SHA-512 | 512-bit | 128 | Maximum size SHA-2 family |
Frequently asked questions
What is a cryptographic hash function?
A cryptographic hash function takes any input and produces a fixed-length output (the hash or digest). It has three key properties: deterministic (same input always produces same output), one-way (you can't reverse a hash to get the input), and collision-resistant (it's computationally infeasible to find two different inputs that produce the same hash).
Which algorithm should I use — SHA-1, SHA-256, or SHA-512?
For new applications: SHA-256 is the default choice. It's fast, widely supported, and still secure. SHA-512 produces a longer hash (512 bits vs 256) for higher security margins. SHA-1 is deprecated for security use — it has known collision attacks — but still appears in legacy systems and Git. Use SHA-256 unless you have a specific reason to choose otherwise.
Is this tool safe for sensitive data?
Everything runs in your browser using the Web Crypto API. No data is sent to any server. However, hashing is not encryption — a SHA-256 hash of a password or secret does not protect it if an attacker has the hash and can try inputs (dictionary attacks). Never hash secrets without a salt and key-stretching function.
Why does the same text always produce the same hash?
That's by design — hashes are deterministic. This property makes them useful for verification: publish a hash, recipient hashes their copy, match means the data is identical. The trade-off is that an attacker can precompute hashes for common inputs (rainbow tables), which is why password storage needs salting.
What's the difference between a hash and encryption?
Hashing is one-way — there's no key and no way to reverse it. Encryption is two-way — you can encrypt and decrypt with the right key. Hash files to verify integrity. Encrypt files to protect content. Confusing the two is a common security mistake (storing password hashes without salt, or 'encrypting' with MD5).
Related Tools
All conversions run in your browser — nothing is uploaded.
Browse all 26 converters →