toolsy.one

Hash generator

Generate SHA-1, SHA-256, SHA-384 and SHA-512 digests of text or files — instantly and privately in your browser.

MD5 is intentionally omitted: it is cryptographically broken and unsupported by the Web Crypto API.

What a cryptographic hash actually is

A cryptographic hash function takes any input — a single character, a paragraph, or a multi-gigabyte file — and produces a fixed-length string called a digest. The same input always yields the same digest (it is deterministic), but the function is one-way: there is no practical way to run it backwards and recover the original data. It also has the avalanche effect — change one character and roughly half the output bits flip, so two near-identical inputs produce completely unrelated digests. This tool computes those digests with crypto.subtle.digest(), the browser’s built-in Web Crypto API, entirely on your device.

A worked example

Hash the lowercase word hello with SHA-256 and you always get 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824. Capitalise a single letter to Hello and the digest becomes 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969 — totally different, despite a one-character change. Notice the length never varies: SHA-256 always returns 64 hexadecimal characters, no matter how large the input is.

Choosing an algorithm

AlgorithmDigest sizeHex lengthStatus & typical use
SHA-256256 bits64 charsSecure — TLS certificates, blockchains, file checksums. The default choice.
SHA-512512 bits128 charsSecure — fast on 64-bit hardware, signatures, key derivation.
SHA-384384 bits96 charsSecure — a truncated SHA-512 used in IPsec and government profiles.
SHA-1160 bits40 charsWeak — collisions are practical. Fine for Git IDs, not for security.

Hashes power data-integrity checks (compare a download against its published checksum), content addressing (Git names every object by its hash), digital signatures and deduplication. One thing they are not built for is storing passwords directly: a raw SHA digest is far too fast to compute, so use a deliberately slow, salted function such as bcrypt, scrypt or Argon2 for that job.

Privacy note: this generator has no server component. Text you type and files you select are read and hashed locally in this browser tab — nothing is uploaded, logged or stored. Close the tab and the input is gone.

Frequently asked questions

Is my text or file sent to a server to be hashed?

No. Every digest is computed locally with the browser’s native Web Crypto API (crypto.subtle.digest). Your input never leaves your device, so it is safe to hash API keys, document contents or other sensitive values here. Files are read directly from disk in your browser and are never uploaded.

Why is MD5 not available?

MD5 is broken — practical collision attacks let an attacker craft two different inputs with the same MD5 digest, so it must never be used for security. The Web Crypto API deliberately does not implement it. We provide SHA-1, SHA-256, SHA-384 and SHA-512 instead, which are the standardised algorithms browsers expose.

Should I still use SHA-1?

Only for non-security purposes. SHA-1 is considered cryptographically weak: a collision was demonstrated publicly in 2017. It is fine for things like Git object IDs or quick deduplication, but for signatures, certificates or integrity guarantees you should use SHA-256 or stronger.

Can I use a hash to store passwords?

Not a raw SHA hash on its own. Plain SHA-256 is far too fast, which makes brute-force guessing cheap. Real password storage uses a slow, salted key-derivation function such as bcrypt, scrypt or Argon2. Use these digests for integrity and fingerprinting, not for hashing user passwords directly.

How do I verify a file download with this tool?

Switch to the File tab and select the file you downloaded. The tool computes its SHA-256 (and other) digests. Compare the result against the checksum the publisher lists on their download page — if they match character-for-character, the file is intact and untampered.

Why does changing one character produce a completely different hash?

That is the avalanche effect, a required property of secure hash functions. Flipping a single bit of input changes roughly half the output bits, so similar inputs produce wildly different digests. This is what makes hashes useful for detecting even the smallest change to data.

Related tools

Password generator

Strong passwords & memorable passphrases via WebCrypto.

JSON formatter

Format, validate and beautify JSON, with error messages.

Base64 encoder

Encode and decode Base64 text and URL-safe variants.