About the Hash Generator
A cryptographic hash is a fixed-length fingerprint of any input. The same input always produces the same hash, and even a one-byte change in the input completely changes the output. Hashes are used for verifying downloaded file integrity, de-duplicating content, indexing immutable artifacts, signing JWT tokens, and proof-of-work systems.
This generator supports four algorithms: MD5 (128-bit, fast, broken for security but still useful for non-security checksums), SHA-1 (160-bit, deprecated for signatures but still in Git's object store), SHA-256 (the modern default — used in TLS, blockchains, and most integrity checks), and SHA-512 (larger, slightly faster on 64-bit CPUs, used where extra collision margin is desired).
How it works
SHA-1, SHA-256, and SHA-512 are computed via the browser's native Web Crypto API (crypto.subtle.digest), which uses the same C/Rust implementations that power the rest of the browser's TLS stack. MD5 isn't in Web Crypto, so it's computed via the spark-md5library — which is streaming, so large files don't need to be held in memory all at once.
For files, content is read with FileReader.readAsArrayBuffer in chunks when possible. The resulting hex digest is shown alongside copy buttons and a compare-to-expected field useful for verifying a checksum from a download page.
Privacy
Hashing happens entirely in your browser. No content — text or file — is ever sent to a server. This makes the tool safe to use on confidential data where uploading would be unacceptable.
Frequently asked questions
- Which hash should I use?
- For new code or signing, use SHA-256 (or SHA-512 if you want a larger output). For verifying a download against a publisher's checksum, use whatever algorithm they published. For non-security uses (cache keys, ETags, deduplication), MD5 or SHA-1 are fine and faster.
- Why is MD5 considered broken?
- Researchers have demonstrated practical collision attacks against MD5 since 2004 and chosen-prefix collisions since 2008. That means an attacker can craft two different files with the same MD5. It's still fine as a non-security checksum but unsafe for signatures or password hashing.
- Should I use this to hash passwords?
- No. Plain SHA or MD5 hashes are inappropriate for password storage because they're fast — attackers can try billions per second on a GPU. Use a slow, memory-hard function like Argon2id or bcrypt instead.
- Are the hashes deterministic across implementations?
- Yes. SHA-1, SHA-256, and SHA-512 are NIST standards (FIPS 180-4), and MD5 is RFC 1321. A given input produces the same hex digest in every conformant implementation, on every platform.
- What's the largest file I can hash?
- Several GB is comfortable on modern desktop browsers. SHA functions stream the input through the digest engine, so memory use stays small. MD5 (via SparkMD5) is also streaming. Performance scales linearly with file size and your device's CPU.