Cryptography

Hash Generator

Compute MD5, SHA-1, SHA-256, and SHA-512 hashes from any text. All four hashes computed simultaneously. Local-only — input never leaves the browser.

MD5 Type to compute

SHA-1 Type to compute

SHA-256 Type to compute

SHA-512 Type to compute

About hash functions

Generate cryptographic hashes — MD5, SHA-1, SHA-256, SHA-512 — from any text input. Useful for integrity checks, fingerprinting, and learning how hash functions behave. Everything runs locally in your browser; nothing is uploaded.

What a hash function is

A cryptographic hash function takes any input — short or long, text or binary — and produces a fixed-size output called a digest or hash. Two essential properties:

Deterministic. Same input always produces the same output. Run it twice on the same string, get the same hash.
Avalanche. Change one bit of the input, ~50% of the output bits change. The hash for "hello" looks completely different from the hash for "Hello".

The output of a hash function looks random but isn't — it's the unique fingerprint of the input. Two different inputs producing the same hash is called a "collision." For a good hash function, collisions are computationally infeasible to find.

The four functions in this tool

Function	Output size	Status	Use for
MD5	128 bits / 32 hex chars	Broken (2004)	Cache keys, dedup IDs only
SHA-1	160 bits / 40 hex chars	Broken (2017)	Legacy compatibility only
SHA-256	256 bits / 64 hex chars	Secure	General use, integrity, identifiers
SHA-512	512 bits / 128 hex chars	Secure	Long-term integrity, fast on 64-bit

"Broken" here means a known attack reduces the cost of finding a collision below the brute-force minimum. The functions still work mechanically, but you can't rely on collision resistance — so don't use them where collision resistance matters.

What hashes are good for

Integrity verification. A file's SHA-256 in a downloaded checksum file lets you verify the file wasn't corrupted in transit or tampered with. After download, recompute the hash; if it matches the published value, the file is intact.
Deterministic identifiers. Hash a long string (a URL, a content blob) to get a short, fixed-length ID. Cache keys, dedup IDs, and content-addressable storage all use this pattern.
Digital signatures. Cryptographic signatures hash the document first, then sign the hash. Hashing reduces a document of any size to a fixed-size value the signature algorithm can handle.
Tamper detection. Compare the hash of a config file from yesterday to today's. If they differ, something changed.

What hashes are NOT good for

Password storage. A plain hash of a password is breakable by precomputed lookup tables (rainbow tables). Use bcrypt, scrypt, or Argon2id — these are designed to be slow and memory-intensive specifically to defeat brute force. SHA-256 of a password is faster than bcrypt by 10,000× and that speed favors the attacker.
Encryption. Hashing is one-way — you can't get the input back. For something that needs to be decrypted later, use AES or another encryption algorithm.
Random number generation. Hashing isn't a random source. For random values, use the OS's CSPRNG (crypto.getRandomValues() in browsers).

Encoding matters

Hashing operates on bytes, not characters. The string "café" produces a different hash if encoded as Latin-1 (4 bytes) vs UTF-8 (5 bytes). The TextKit hash generator uses UTF-8 by default — the modern standard for almost everything.

If you're comparing hashes across tools or systems and getting different results, encoding mismatch is the first thing to check. Make sure both ends are encoding the input the same way.

Salt — and why password hashing isn't just hashing

If you hash "password123" with SHA-256, every system that does the same gets the same output. An attacker who steals one hash database can compare against any other. The fix is salting: prepend a random value to the input before hashing. Each user's salt is different, so identical passwords produce different hashes.

But salting alone isn't enough. SHA-256 is fast — billions of guesses per second on a modern GPU. Password hashing requires algorithms designed to be slow: bcrypt (~100ms per hash), scrypt (~tunable), Argon2id (~tunable, also memory-hard).

This tool produces plain hashes. For password storage in a real system, use a dedicated library: bcrypt, node-argon2, passlib, or your framework's built-in password hasher.

How the tool works

All four hashes run in your browser using the Web Crypto API (SubtleCrypto.digest()) for SHA-1, SHA-256, and SHA-512. MD5 isn't part of Web Crypto (deliberately — it's deprecated), so it runs via a pure-JS implementation.

Nothing leaves your device. The hash function runs locally, the input never touches a network, and the result appears immediately. Useful when the input is sensitive (internal IDs, API tokens, NDA-covered content) and you don't want to paste it into a server-side hash service.

Local-only hashing. All four hash functions run entirely in your browser. Nothing is uploaded, logged, or transmitted.

Practical examples

Verifying a download. The project's release page shows SHA-256: a1b2c3.... Drop the downloaded file's text content (or read its bytes) into the hash generator with SHA-256 selected. Match? Download is intact.
Generating a stable cache key. Hash the URL or query parameters with SHA-256. The first 12 hex characters are usually plenty unique for a cache-key namespace and short enough for filenames.
Detecting content change. Hash a file's contents, store the hash. Re-hash periodically; if the hash changed, the file changed.
Quick integrity demo. Hash a document, change one character, hash again. The two hashes share no recognizable pattern — that's the avalanche property.

Frequently asked questions

Which hash function should I use?

For integrity checks (verify a download wasn't corrupted): SHA-256. For password storage: don't use any of these directly — use bcrypt, scrypt, or Argon2id. For collision-resistant identifiers: SHA-256 or SHA-512. MD5 and SHA-1 are broken and only suitable for non-security uses (cache keys, dedup IDs).

Why is MD5 still around if it's broken?

Backward compatibility. Many existing systems use MD5 for fingerprinting, and replacing it requires migration. For new code, never use MD5 for anything where collision-resistance matters — but MD5 is fine for cache keys, file dedup IDs, and other non-security uses where the only requirement is 'same input gives same output'.

Is SHA-1 safe to use?

No, not for security. The first practical SHA-1 collision was published in 2017 (the SHAttered attack). Modern systems should use SHA-256 or SHA-3 for any security-relevant hashing.

What's the difference between SHA-256 and SHA-512?

SHA-512 produces a longer hash (64 bytes vs 32) and uses 64-bit words internally. On 64-bit hardware, SHA-512 is often faster than SHA-256. SHA-512/256 is a variant that uses SHA-512's internal pipeline but truncates to 256 bits — fast and modern.

Why is my hash different from another tool's output for the same text?

Almost always character encoding. The string 'café' produces a different hash if encoded as Latin-1 vs UTF-8 because the bytes are different. The TextKit hash generator uses UTF-8 by default (the modern standard); other tools may differ.

Can hashing reverse a string?

No. A cryptographic hash is one-way — given a hash, there's no efficient way to recover the original input. The exception is precomputed lookup tables (rainbow tables) for common short inputs like passwords. This is why password storage uses salted bcrypt/scrypt/Argon2 — not a plain hash.

Tool