All tools
Security tools

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384 and SHA-512 hashes from any text — all five algorithms at once, with one-click copy.

MD5 · 128-bit SHA-1 · 160-bit SHA-256 · 256-bit SHA-384 · 384-bit SHA-512 · 512-bit
Get started free Sign in

Free · No credit card · 50 credits/day

Algorithm comparison

Five algorithms, one tool. Know which one to reach for.

Algorithm Output length Security status Common uses
MD5 128-bit / 32 hex Broken File checksums, non-security deduplication
SHA-1 160-bit / 40 hex Broken Legacy systems, Git commit IDs
SHA-256 256-bit / 64 hex Secure TLS certificates, JWT, file integrity
SHA-384 384-bit / 96 hex Secure High-assurance signatures, TLS 1.3
SHA-512 512-bit / 128 hex Secure Digital signatures, HMAC, archival integrity

What are hashes used for?

Cryptographic hashes appear throughout software, security and data engineering.

🔍

File integrity verification

Hash a file before and after download to confirm it hasn't been tampered with. SHA-256 checksums are standard for software distribution.

🔐

API request signing

HMAC-SHA256 signs API requests so the server can verify the payload hasn't changed in transit — used by AWS, Stripe, GitHub webhooks and many others.

📦

Content deduplication

Hash file content to detect duplicates without comparing bytes. Git hashes every blob, tree and commit with SHA-1 (now migrating to SHA-256).

🪙

Blockchain and proof of work

Bitcoin uses double SHA-256 to mine blocks. Ethereum uses Keccak-256. Proof-of-work relies on the infeasibility of reversing a hash.

🖊️

Digital signatures

Signing systems like RSA-SHA256 hash the message first, then sign the short hash — fast, secure, and independent of message length.

🗄️

Database deduplication

Hash user-uploaded content (images, documents) to detect duplicates before storing — much faster than comparing raw bytes at scale.

MD5 and SHA-1 are broken — here's what that means

Collision attacks exist for both. A collision means two different inputs produce the same hash. For MD5, collisions can be found in seconds on a laptop. For SHA-1, they were demonstrated in practice by Google's SHAttered attack in 2017.

Do not use MD5 or SHA-1 for digital signatures, certificates or security tokens. An attacker who can craft a collision can forge a document that hashes to the same value as a legitimate one.

MD5 is still fine for non-security checksums. Verifying a file download against a known MD5 checksum is not a security decision — it catches accidental corruption, not attacks. Speed and simplicity win here.

SHA-256 is the safe default. It is part of the SHA-2 family, has no known practical attacks, and is supported everywhere. Use it unless you have a specific reason for SHA-384 or SHA-512.

SHA-512 is better for 64-bit systems. SHA-512 uses 64-bit operations internally and is actually faster than SHA-256 on 64-bit CPUs, while producing a longer digest.

Never use any of these to hash passwords. All general-purpose hash functions are intentionally fast, which makes them easy to brute-force. Use bcrypt, scrypt or Argon2 for passwords instead.

Frequently asked questions

What is a cryptographic hash?

A cryptographic hash is a fixed-length string produced by a hash function from an input of any size. The same input always produces the same hash, but even a single character change produces a completely different output. Hashes are one-way — you cannot reverse them to recover the original input.

Which hash algorithm should I use?

For security-critical uses (digital signatures, certificates, integrity checks) use SHA-256 or SHA-512. SHA-1 and MD5 are cryptographically broken and should only be used for non-security purposes such as checksums or deduplication where collision resistance is not required.

What is the difference between MD5 and SHA-256?

MD5 produces a 128-bit (32 hex character) digest and is fast but cryptographically broken — collisions can be found in seconds. SHA-256 produces a 256-bit (64 hex character) digest, is part of the SHA-2 family, and remains secure against known attacks. Use SHA-256 or stronger for any security-sensitive application.

Can I use this to hash passwords?

No. General-purpose hash functions like MD5, SHA-1 and SHA-256 are intentionally fast, making them easy to brute-force for password cracking. For passwords, use a dedicated slow hash function like bcrypt, scrypt or Argon2. Try our Bcrypt Generator tool for that purpose.

Related security tools

More tools for cryptography and password security.

Bcrypt Generator

Hash passwords securely with bcrypt — the right tool for storing credentials.

Password Generator

Generate cryptographically secure random passwords with custom length and charset.

Password Strength Checker

Score any password and see how long it would take to crack.

Generate a hash now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →