Hash Generator & Verifier
MD5, SHA-256 & More
Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes. Verify file integrity, create HMAC signatures, and compare hashes securely. 100% client-side. Zero data stored.
Hash Generator & Verifier Tool
Type or paste any text below. All hash algorithms are computed in real-time as you type.
All Hashes
- - - - - Drag & drop a file here or click to browse
Supports any file type. Large files are processed in chunks.
HMAC (Hash-based Message Authentication Code) combines a message with a secret key for authentication. Use this to sign API requests or verify data integrity with a shared secret.
Verify that text produces an expected hash. Useful for checking file integrity or validating that data hasn't been modified. The algorithm is automatically detected from the hash length.
Algorithm is auto-detected from hash length. Supports hex (lowercase/uppercase) and base64.
Algorithm
Select algorithm for File and HMAC tabs. Text tab shows all algorithms.
Output
Lengths
Common Use Cases
File Integrity Verification
Verify downloaded files haven't been tampered with by comparing their hash to the publisher's official checksum.
API Authentication
Generate HMAC signatures for API requests to prove message authenticity and integrity.
Data Deduplication
Hash files to identify duplicates without comparing entire file contents byte by byte.
Digital Signatures
Create cryptographic fingerprints for documents to ensure authenticity and detect tampering.
Version Control
Git uses SHA-1/SHA-256 hashes to identify commits, trees, and blobs uniquely across distributed systems.
Password Hashing
While not recommended for production (use bcrypt/Argon2), understand how basic hash-based password storage works.
Features
Real-Time Hashing
Hash updates instantly as you type. No submit button needed.
File Hashing
Hash any file type with streaming support for large files.
HMAC Support
Generate keyed hashes for message authentication.
Hash Verification
Compare hashes to verify file integrity or authenticity.
Security Warnings
Clear warnings for weak algorithms like MD5 and SHA-1.
100% Private
All hashing happens in your browser. Data never leaves your device.
Frequently Asked Questions
A hash function is a mathematical algorithm that converts input data of any size into a fixed-size output (the hash). Key properties include: deterministic (same input always produces same output), one-way (cannot reverse to get original input), and collision-resistant (hard to find two inputs with the same hash).
No, cryptographic hash functions are designed to be one-way. You cannot mathematically reverse a hash to get the original input. However, for short or common inputs, attackers can use rainbow tables (precomputed hash databases) or brute force attacks. This is why passwords should use specialized algorithms like bcrypt or Argon2 with salts, not plain hash functions.
These are different hash algorithms with varying output sizes and security levels. MD5 produces 128-bit hashes but has known vulnerabilities. SHA-1 produces 160-bit hashes and is deprecated due to collision attacks. SHA-256 (256-bit), SHA-384 (384-bit), and SHA-512 (512-bit) are part of the SHA-2 family and are currently considered secure for most applications.
MD5 is cryptographically broken and should not be used for security purposes. Researchers have demonstrated practical collision attacks where different inputs produce the same MD5 hash. However, MD5 is still acceptable for non-security uses like checksums for detecting accidental data corruption or as cache keys.
Don't use simple hash functions like SHA-256 for passwords. Instead, use password-specific algorithms like bcrypt, Argon2, scrypt, or PBKDF2. These are designed to be slow and memory-intensive, making brute force attacks impractical. Always add a unique salt per password and use appropriate iteration counts.
SHA-256 is widely used for: SSL/TLS certificates, Bitcoin and cryptocurrency mining, digital signatures, file integrity verification, password hashing (with proper salting), Git commit IDs, and software package verification. It's part of the SHA-2 family and is considered secure for current applications.
MD5 is cryptographically broken due to collision vulnerabilities discovered in 2004-2008. Attackers can create different files with the same MD5 hash (collision attack). While still useful for checksums and non-security purposes, never use MD5 for password hashing, digital signatures, or any security-critical application.
A hash collision occurs when two different inputs produce the same hash output. For secure algorithms like SHA-256, random collisions are astronomically unlikely - you'd need to hash 2^128 inputs to have a 50% chance. However, MD5 and SHA-1 have known collision attacks that make finding collisions practical.
No, they serve different purposes. Hashing is a one-way function that creates a fixed-size fingerprint of data and cannot be reversed. Encryption is a two-way process that scrambles data with a key and can be decrypted back to the original. Use hashing for data integrity and password storage, encryption for confidentiality.
Both algorithms have known collision vulnerabilities that allow attackers to create different files with identical hashes. MD5 was broken in 2004, and SHA-1 was practically broken in 2017 with the SHAttered attack. Modern applications requiring cryptographic security should use SHA-256 or stronger algorithms from the SHA-2 or SHA-3 families.
Rainbow tables are precomputed databases of hash values for common passwords and phrases. Attackers use them to quickly reverse-lookup hashes without computing them on-the-fly. This is why salting passwords is critical - adding a unique random value to each password before hashing makes rainbow tables ineffective.
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to verify both data integrity AND authenticity. Use HMAC when you need to ensure a message hasn't been tampered with and came from a trusted source. Common uses include API authentication, session tokens, and secure cookie verification.
Hashing is the process of converting a password into a fixed-size string. Salting adds a unique random value to each password before hashing. Without salts, identical passwords produce identical hashes, making them vulnerable to rainbow table attacks. Proper password storage requires both salting and using a password-specific algorithm like bcrypt.
Both are ways to represent binary hash data as text. Hex uses 16 characters (0-9, a-f), resulting in 2 characters per byte. Base64 uses 64 characters (A-Z, a-z, 0-9, +, /), resulting in about 1.33 characters per byte. Base64 is more compact but less human-readable. Hex is more common for hashes, while Base64 is often used for encoding binary data in JSON or URLs.
On Linux/Mac use commands like sha256sum, md5sum, or shasum. On Windows, use certutil -hashfile filename SHA256 or Get-FileHash in PowerShell. For example: sha256sum file.zip produces a SHA-256 hash. These tools are useful for verifying downloaded files against published checksums.
Why We Built Hash Generator
Security-conscious developers need cryptographic hashing for file verification, data integrity checks, and digital signatures - but most online hash tools send your sensitive data to external servers, creating unnecessary security risks.
Unlike those tools, Hash Generator processes everything locally using JavaScript's Web Crypto API. This means your data never leaves your computer. The tool works completely offline once loaded, making it safe for enterprise environments, air-gapped systems, and confidential work. Whether you're verifying downloaded software checksums, generating HMAC signatures for APIs, or comparing file hashes for deduplication, your data stays private.
Hash Generator is part of RJL.io's collection of free developer tools - each designed to do one thing exceptionally well, with no accounts, no tracking, and no data collection. Check out our other tools: UUID Generator, QR Code Generator, Base64 Encoder, and more. Every tool is 100% client-side, works offline, and respects your privacy.