Hash Generator
Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes of any text, computed in your browser.
Input
Hashes update as you type.
What this tool does
Computes SHA-1, SHA-256, SHA-384, and SHA-512 digests of your text at once, updating as you type. All four are shown together because comparing them is usually why you're here.
What a hash is good for
A hash is a fixed-length fingerprint. The same input always yields the same output, a one-character change yields a completely different one, and the process cannot be reversed. That makes hashes useful for verifying a download arrived intact, detecting whether a file changed, and deduplicating content.
Which algorithm to pick
- SHA-256 — the default for essentially everything. Use this unless you have a reason not to.
- SHA-384 / SHA-512 — longer digests, required by some standards. On 64-bit hardware SHA-512 is often faster than SHA-256.
- SHA-1 — broken since 2017; practical collisions exist. Shown only because legacy systems (older Git object IDs, some checksums) still use it. Never choose it for new work.
Do not hash passwords with this
Worth stating plainly: SHA is the wrong tool for passwords. Its speed is a feature for checksums and a fatal flaw for credentials — a modern GPU tries billions of SHA-256 guesses per second. Passwords need a deliberately slow, salted algorithm such as bcrypt, scrypt, or Argon2.
Why there's no MD5
MD5 is cryptographically broken, and the browser's Web Crypto API deliberately refuses to implement it. Adding it would mean shipping a third-party implementation purely to enable a choice nobody should make.
FAQ
What is a hash?
A hash is a fixed-length fingerprint of some data. The same input always produces the same hash, while changing a single character produces a completely different one. Hashes are one-way: you cannot recover the original text from the hash.
Which algorithm should I use?
SHA-256 is the sensible default for almost everything. Use SHA-384 or SHA-512 when a longer digest is required. Avoid SHA-1 for anything security-related — practical collision attacks against it exist — though it still appears in legacy systems such as older Git object IDs.
Why is MD5 not offered?
MD5 is cryptographically broken and the Web Crypto API deliberately does not implement it. Offering it would mean shipping a third-party implementation to support an algorithm nobody should choose for new work.
Can I use this to hash passwords?
No. Plain SHA hashes are far too fast, which makes brute-forcing cheap. Passwords need a deliberately slow algorithm with a per-user salt, such as bcrypt, scrypt, or Argon2. This tool is for checksums and fingerprints, not credential storage.
Is my text sent to a server?
No. Hashing uses the browser's built-in Web Crypto API and runs entirely on your device. Nothing is uploaded, logged, or stored.