MD5 & SHA-256 Hash Generator — Generate and Verify File Hashes Online

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for any text or file instantly. Create HMAC authentication codes with a secret key. Switch between hex and Base64 output formats. All hashing is performed locally in your browser — no data is ever sent to a server.

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or files. Supports HMAC authentication codes. All processing happens locally in your browser.

Frequently Asked Questions

What is a hash function?

A hash function is a mathematical algorithm that takes an input of any size and produces a fixed-size output called a hash, digest, or checksum. The same input always produces the same hash, and even a tiny change in the input creates a completely different output. Hash functions are one-way — you cannot reverse the hash to recover the original data.

What is the difference between MD5 and SHA-256?

MD5 produces a 128-bit (32-character hex) hash and is significantly faster, but it is cryptographically broken — researchers have demonstrated practical collision attacks since 2004. SHA-256 produces a 256-bit (64-character hex) hash and is part of the SHA-2 family designed by the NSA. SHA-256 has no known practical attacks and is the recommended standard for security applications including TLS certificates and blockchain.

Is MD5 still secure?

No. MD5 is cryptographically broken and should not be used for security purposes such as digital signatures, certificate validation, or password hashing. Collision attacks can be performed in seconds on modern hardware. However, MD5 is still acceptable for non-security uses like basic file checksums and data deduplication where malicious tampering is not a concern.

How do I verify file integrity with a hash?

Download the file and the hash value published by the source (often a SHA-256 checksum). Use this tool's File Upload tab to generate the hash of your downloaded file. Compare the generated hash with the published hash — if they match exactly, the file is intact and was not corrupted or tampered with during transfer.

What is HMAC and how is it different from a regular hash?

HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to produce an authentication code. Unlike a plain hash that only verifies data integrity, HMAC also proves authenticity — only someone with the secret key can generate the correct HMAC. HMAC is used in API authentication (AWS, Stripe), JWT tokens (HS256 = HMAC-SHA256), TLS handshakes, and webhook verification.

What are rainbow tables?

Rainbow tables are precomputed lookup tables that map hash values back to their original inputs. Attackers use them to crack password hashes by looking up the hash in the table instead of brute-forcing every possibility. Rainbow tables are effective against unsalted hashes, which is why modern password storage always uses salting (adding random data before hashing) to defeat rainbow table attacks.

What is a salt in hashing?

A salt is a random value added to the input before hashing. Each password gets a unique salt, so even if two users have the same password, their stored hashes will be different. Salting prevents rainbow table attacks and makes precomputation infeasible. The salt is stored alongside the hash — it does not need to be secret, only unique per password.

Why use bcrypt or Argon2 instead of SHA-256 for passwords?

SHA-256 is designed to be fast, which is a disadvantage for password hashing — attackers can try billions of guesses per second. Bcrypt, scrypt, and Argon2 are purpose-built password hashing functions that are intentionally slow and memory-intensive. They include a configurable work factor that can be increased over time as hardware improves, making brute-force attacks impractical.

Can two different inputs produce the same hash?

Theoretically yes — this is called a collision. Since hash functions map infinite possible inputs to a finite output space, collisions must exist. However, for secure hash functions like SHA-256, finding a collision is computationally infeasible (would take billions of years with current technology). For broken algorithms like MD5, collisions can be found in seconds.

Does any data leave my browser when using this tool?

No. All hash computation happens entirely in your browser using the Web Crypto API and JavaScript. Your text and files are never uploaded to any server. You can verify this by using the tool with your network connection disabled — it will work identically.

What is SHA-512 used for?

SHA-512 produces a 512-bit (128-character hex) hash and is part of the SHA-2 family. It is used in high-security applications, digital signatures, certificate authorities, and as a building block in protocols like TLS 1.3. SHA-512 is actually faster than SHA-256 on 64-bit processors because its algorithm naturally operates on 64-bit words. It is also the basis for SHA-512/256, used in some cryptocurrency implementations.

How do I generate an MD5 or SHA-256 hash of a file on my computer?

On Windows, open PowerShell and run: Get-FileHash -Algorithm SHA256 file.txt (or replace SHA256 with MD5). On macOS/Linux, use the terminal: sha256sum file.txt (Linux) or shasum -a 256 file.txt (macOS). For MD5: md5sum file.txt (Linux) or md5 file.txt (macOS). Alternatively, use the File Upload tab on this page — it processes the file entirely in your browser.

How do I generate a hash in Python or JavaScript?

In Python: import hashlib; hashlib.sha256(b'hello').hexdigest() returns the SHA-256 hash. For MD5: hashlib.md5(b'hello').hexdigest(). In JavaScript (Node.js): crypto.createHash('sha256').update('hello').digest('hex'). In browser JavaScript: await crypto.subtle.digest('SHA-256', new TextEncoder().encode('hello')), then convert the ArrayBuffer to hex.

How to Generate a Hash Online

A cryptographic hash function converts any input — a password, a file, a message — into a fixed-length string of characters called a hash (also known as a digest or checksum). This tool computes MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes simultaneously, entirely in your browser using the Web Crypto API. No data is ever sent to a server.

  1. Choose the Text Input tab to hash a string, or File Upload to hash a file, or HMAC to generate an authentication code.
  2. Type or paste your text, or drag and drop a file onto the upload zone.
  3. All five hash algorithms are computed in real time and displayed below the input.
  4. Use the output format toggle to switch between lowercase hex, uppercase hex, or Base64 encoding.
  5. Click the copy button to copy any hash. Use the Compare section to verify a hash matches.

MD5 vs SHA-256: Which Hash Algorithm Should You Use?

MD5 and SHA-256 are the two most commonly searched hash algorithms, but they serve very different purposes today. MD5 was designed by Ronald Rivest in 1991 and produces a 128-bit hash. MD5 is cryptographically broken— researchers demonstrated practical collision attacks in 2004, and by 2008 MD5 was used to forge a rogue SSL certificate. It should not be used for security purposes.

SHA-256, part of the SHA-2 family designed by the NSA, produces a 256-bit hash with no known practical attacks. It is the recommended standard for TLS certificates, blockchain (Bitcoin uses double-SHA-256), digital signatures, and any security-sensitive application. SHA-256 is slower than MD5 but dramatically more secure.

Rule of thumb: Use SHA-256 (or SHA-512) for anything security-related. MD5 is only acceptable for non-security checksums like data deduplication or legacy system compatibility where tampering is not a concern.

Hash Algorithm Comparison Table

The following table compares the five hash algorithms supported by this tool:

AlgorithmOutput SizeSecurity StatusSpeedPrimary Use Case
MD5128 bits (32 hex)BrokenVery fastLegacy checksums only
SHA-1160 bits (40 hex)DeprecatedFastLegacy systems, Git (transitioning)
SHA-256256 bits (64 hex)SecureModerateTLS certificates, blockchain, general use
SHA-384384 bits (96 hex)SecureModerateGovernment and high-security applications
SHA-512512 bits (128 hex)SecureFast on 64-bitMaximum security, large data integrity

How to Verify File Integrity with a Hash

Software publishers often provide a SHA-256 checksum alongside their downloads so you can verify the file was not corrupted or tampered with during transfer. Here's how to use this tool for verification:

  1. Download the file and note the published hash (usually SHA-256) from the official source.
  2. Switch to the File Upload tab and drag your downloaded file onto the upload zone.
  3. Copy the generated SHA-256 hash from the results.
  4. Paste the published hash into the Compare Hash section — if it shows "Match," your file is authentic.

You can also verify file hashes from the command line: certutil -hashfile file.zip SHA256 on Windows, sha256sum file.zip on Linux, or shasum -a 256 file.zip on macOS.

What Is HMAC and How Does It Work?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce an authentication code. Unlike a plain hash, HMAC proves both the integrity andthe authenticity of a message — only someone with the secret key can generate the correct HMAC.

HMAC is defined in RFC 2104 as: HMAC(K, m) = H((K ⊕ opad) || H((K ⊕ ipad) || m)), where H is the hash function, K is the key padded to the block size, and ipad/opad are fixed padding constants (0x36 and 0x5c).

HMAC is used in TLS/SSL handshakes, API authentication (AWS Signature V4, Stripe webhooks), JWT token signing (HS256 = HMAC-SHA256), OAuth 1.0 request signing, and IPsec VPN authentication. Use the HMAC tab in this tool to generate HMAC values with any of the five supported algorithms.

Hash Generation in Programming Languages

Here are quick reference examples for generating SHA-256 hashes in popular programming languages:

LanguageSHA-256 Code Example
Pythonhashlib.sha256(b"hello").hexdigest()
JavaScriptcrypto.subtle.digest("SHA-256", data)
PHPhash("sha256", "hello")
JavaMessageDigest.getInstance("SHA-256").digest(bytes)
C#SHA256.HashData(Encoding.UTF8.GetBytes("hello"))
Gosha256.Sum256([]byte("hello"))
Bashecho -n "hello" | sha256sum
PowerShellGet-FileHash -Algorithm SHA256 file.txt

For MD5, replace the algorithm name accordingly: hashlib.md5() in Python, hash("md5", ...) in PHP, MD5.HashData() in C#. Note that most languages provide built-in hash functions through their standard crypto libraries.

Common Hash Use Cases

  • File Integrity Verification — Compare a file's hash against the publisher's checksum to detect corruption or tampering
  • Password Storage — Modern systems store password hashes (with salt) using specialized algorithms like bcrypt or Argon2, never plaintext
  • Digital Signatures — A document is hashed, then the hash is signed with a private key for authenticity verification
  • Blockchain & Cryptocurrency — Bitcoin uses double-SHA-256; Ethereum uses Keccak-256. Each block links to the previous via its hash
  • Data Deduplication — Hash values quickly identify duplicate files without byte-by-byte comparison
  • Content Addressing — Git uses SHA-1 (migrating to SHA-256), IPFS and Docker use SHA-256 as content identifiers
  • API Authentication — HMAC-SHA256 authenticates API requests in AWS, Stripe, and many webhook systems
  • SRI (Subresource Integrity) — Browsers verify CDN-hosted scripts with Base64-encoded SHA-384 hashes in the integrity attribute

Learn More About Hashing

Related Tools

Related Tools

Base64 Encoder & Decoder
Encode and decode Base64 strings for data transmission and SRI hashes
Hex to Text Converter
Convert hexadecimal hash output to readable text
Hex to Binary Converter
Convert hash hex strings to binary representation
URL Encoder & Decoder
Percent-encode URLs when passing hash values as query parameters