MD5 is a widely used hash function producing a 128-bit hash value. It is commonly used for checksums.

SHA-256 is a cryptographic hash function that produces a 256-bit hash. Part of the SHA-2 family.

Hash Generator | MD5, SHA-1, SHA-256, SHA-512

You downloaded an ISO file and the website shows SHA-256: a3f2b.... You need to verify the download wasn’t corrupted or tampered with — but shasum -a 256 isn’t available on your Windows machine, and you’d rather not install a tool just to check one hash. Or you’re generating a cache-busting key from a file’s content and need a quick MD5 digest. Or you’re comparing two files and want to know if they’re identical without diffing 10,000 lines.

Why This Tool (Not the Terminal or Online Hash Sites)

Online hash generators like md5hashgenerator.com upload your text to their server — which defeats the purpose of verifying integrity if the server is compromised. Terminal tools (shasum, md5sum, certutil) vary across operating systems and require command-line access. This tool uses the browser’s Web Crypto API to compute MD5, SHA-1, SHA-256, and SHA-512 hashes entirely on your device. No data ever leaves your browser.

What Is a Hash Function?

A hash function is a mathematical algorithm that transforms any input data into a fixed-length string called a hash or digest. Hash functions are fundamental to modern computing, appearing in data integrity checks, cryptography, digital signatures, and password storage.

Key properties of a cryptographic hash function:

Deterministic: The same input always produces the same output
Fixed-length output: Regardless of input size, the output is always the same length
One-way: It is computationally infeasible to reverse the hash back to the original input
Avalanche effect: A small change in the input produces a completely different hash

Algorithm Comparison

Algorithm	Output Length	Security Status	Typical Use
MD5	128-bit (32 hex chars)	Broken — do not use for security	File checksums, deduplication
SHA-1	160-bit (40 hex chars)	Deprecated — avoid for new systems	Legacy Git commits, old TLS
SHA-256	256-bit (64 hex chars)	Secure	Signatures, certificates, blockchain
SHA-512	512-bit (128 hex chars)	Secure	High-security applications

MD5: Fast but Cryptographically Broken

MD5 produces a 128-bit hash. Developed by Ronald Rivest in 1991, MD5 was widely used for cryptographic purposes until 2004, when researchers demonstrated practical collision attacks — two different inputs producing the same hash.

MD5 is still appropriate for:

Detecting accidental file corruption (not malicious tampering)
Deduplicating files in a database
Non-security-critical checksums in internal systems
Legacy API compatibility where you cannot change the algorithm

MD5 is NOT appropriate for:

Password storage (use bcrypt, Argon2, or scrypt instead)
Digital signatures or certificates
Any security-sensitive integrity check

SHA-256: The Industry Standard

SHA-256 is part of the SHA-2 family, producing a 256-bit hash. It is the current industry standard for cryptographic security and is used in TLS certificates, code signing, Bitcoin, and most modern security protocols.

// SHA-256 in the browser (Web Crypto API)
async function sha256(message) {
  const msgBuffer = new TextEncoder().encode(message);
  const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}

const hash = await sha256('Hello, World!');
// "dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d"

# SHA-256 in Python
import hashlib

text = "Hello, World!"
hash_value = hashlib.sha256(text.encode('utf-8')).hexdigest()
# "dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d"

# Hash a file
with open('file.zip', 'rb') as f:
    file_hash = hashlib.sha256(f.read()).hexdigest()

# SHA-256 on the command line
echo -n "Hello, World!" | sha256sum
# dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d

# Hash a file
sha256sum downloaded-file.zip

SHA-512: Maximum Security

SHA-512 produces a 512-bit hash. On 64-bit processors, SHA-512 is often faster than SHA-256 because it processes data in 64-bit words rather than 32-bit words. Use SHA-512 when you need the highest security margin or when processing large files on 64-bit systems.

import hashlib
hash_value = hashlib.sha512("Hello, World!".encode()).hexdigest()

File Integrity Verification Workflow

The most common real-world use of hash generators is verifying downloaded files. Here’s the complete workflow:

Download the file from the official source (e.g., ubuntu-24.04-desktop-amd64.iso)
Find the published checksum — usually a .sha256 or .sha512 file on the same download page
Hash your downloaded file using this tool (switch to the File tab, drag and drop)
Compare the hashes — they must match exactly, character for character

If the hashes differ, the file was corrupted during download or (in rare cases) tampered with. Re-download from the official source.

# Verify a downloaded file on Linux/macOS
sha256sum -c ubuntu-24.04-desktop-amd64.iso.sha256

# Or manually compare
sha256sum ubuntu-24.04-desktop-amd64.iso
# Then compare with the published hash

HMAC: Authenticated Hashing

HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key. Unlike a plain hash, HMAC proves both that the data is intact and that it came from someone who knows the secret key.

Common HMAC use cases:

Webhook signatures: GitHub, Stripe, and Slack sign webhook payloads with HMAC-SHA256 so your server can verify the request is genuine
JWT tokens: The signature portion of a JWT is an HMAC of the header and payload
API request signing: AWS Signature Version 4 uses HMAC-SHA256 to authenticate API requests

// Verify a GitHub webhook signature
async function verifyGitHubWebhook(payload, signature, secret) {
  const key = await crypto.subtle.importKey(
    'raw',
    new TextEncoder().encode(secret),
    { name: 'HMAC', hash: 'SHA-256' },
    false,
    ['sign']
  );
  const mac = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(payload));
  const expected = 'sha256=' + Array.from(new Uint8Array(mac))
    .map(b => b.toString(16).padStart(2, '0')).join('');
  return expected === signature;
}

import hmac, hashlib

def verify_webhook(payload: bytes, signature: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode(), payload, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(f"sha256={expected}", signature)

Note: HMAC-MD5 is not available in this browser tool because the Web Crypto API excludes MD5 from key operations. Use HMAC-SHA256 for all new implementations.

Why You Cannot Reverse a Hash

Hash functions are designed to be one-way by construction. SHA-256 maps any input (a single byte or a terabyte file) to exactly 64 hex characters. Because the output space (2²⁵⁶ possible values) is vastly smaller than the input space (infinite possible inputs), the mapping is inherently lossy — information is destroyed.

Rainbow tables are precomputed databases of hash→input mappings for common inputs (dictionary words, common passwords). They can “reverse” hashes for weak inputs. This is why passwords must be hashed with a salted algorithm (bcrypt, Argon2) rather than plain SHA-256 — the salt makes rainbow table attacks impractical.

Hashing in Different Languages

// Node.js — built-in crypto module
const crypto = require('crypto');
crypto.createHash('sha256').update('Hello, World!').digest('hex');

import hashlib
hashlib.sha256(b'Hello, World!').hexdigest()

import java.security.MessageDigest;
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] hash = md.digest("Hello, World!".getBytes("UTF-8"));

import "crypto/sha256"
import "fmt"
h := sha256.Sum256([]byte("Hello, World!"))
fmt.Sprintf("%x", h)

Frequently Asked Questions

Is this hash generator private? Yes. All hash computation happens entirely in your browser using the Web Crypto API (crypto.subtle.digest). No data — text or files — is ever sent to any server. Files are read locally using the FileReader API.

What is the difference between MD5 and SHA-256? MD5 produces a 128-bit hash and has known collision vulnerabilities — two different inputs can produce the same MD5 hash. SHA-256 produces a 256-bit hash with no known practical attacks. Use SHA-256 for any security-sensitive purpose.

Can I reverse a hash? No. Hash functions are one-way by design. For common/weak inputs, rainbow table lookups can find the original value — which is why passwords must be hashed with bcrypt or Argon2 (which include salting), not plain SHA-256.

Why does changing one character change the entire hash? This is the avalanche effect — a core design property of cryptographic hash functions. It ensures that similar inputs produce completely different outputs, making it impossible to infer anything about the input from the output.

Should I use SHA-256 or SHA-512? Both are secure. SHA-512 offers a larger security margin and is faster on 64-bit hardware. SHA-256 is more widely supported and produces shorter output. For most applications, SHA-256 is the right choice.

Can I hash a file, not just text? Yes. Switch to the File tab and drag and drop any file. The tool reads it locally using the FileReader API and computes the hash without uploading anything.

Hash Generator