Skip to content
TypeParser
All tools

Hash Generator

MD5, SHA-1, SHA-256, SHA-384, SHA-512 in one go.

beats md5hashgenerator.com edge: All hashes at once + file drop + HMAC
input
hashesawaiting input
Guide

About Hash Generator

Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 simultaneously from any string or file. HMAC mode lets you sign with a shared secret. Files up to about 1 GB are read in chunks so the browser never blocks. Hashes are computed via <code>SubtleCrypto</code> — your data does not leave the page.

What a hash is

A cryptographic hash maps any input — a byte, a string, a 4 GB ISO — to a fixed-length output that is practically impossible to reverse. Same input → same hash, every time. Two different inputs → with overwhelming probability, different hashes. This single property powers integrity checks, password storage, content-addressable storage, blockchain, and most digital signatures.

Which algorithm?

AlgorithmOutputUse case
MD5128 bitsLegacy file checksums, ETags. Not for security.
SHA-1160 bitsGit commit SHAs (transitioning to SHA-256). Not for security.
SHA-256256 bitsThe modern default. TLS, signatures, blockchain, JWT HS256.
SHA-384384 bitsWeb Crypto-friendly, used in JWT HS384, some TLS suites.
SHA-512512 bitsHigher security margin, slower on 32-bit, common in Linux shadow.

For new code, default to SHA-256. It is fast on every modern CPU, supported everywhere, and provides a security margin that survives until quantum threats become real.

How to use this tool

Hash a string. Paste into the input. All five hashes appear simultaneously — one click copies any.

Hash a file. Drag and drop. The file streams through chunks; a progress bar shows the hash building. Useful for verifying a download against the publisher’s posted checksum.

HMAC mode. Toggle on, paste the shared secret, paste the message. Computes HMAC-SHA-256/384/512 in parallel. Used for webhook verification (Stripe, GitHub, Shopify) and API request signing (AWS SigV4, HMAC bearer auth).

Common workflows

Verify a software download. The publisher posts SHA-256. You drop the file here, compare. Mismatch means the download corrupted or you grabbed a tampered mirror.

Sign a webhook. Implementing a webhook receiver. Compute the HMAC locally with the same secret, compare against the X-Signature header. Match → the request really came from your sender.

Build a deterministic ID. Hash a (user_id + timestamp + nonce) tuple to produce a stable opaque identifier. SHA-256 is plenty; truncate to 128 bits if you need shorter output.

Why local hashing matters

A file hash often is the entire reason you cared — proving the download is the file the author signed. Sending it through a remote hashing site defeats the purpose: a malicious server could lie about the hash. Local hashing closes that gap. Your file, your CPU, the same mathematical answer everyone else’s tool will produce.

Frequently asked questions

Is MD5 still safe to use?
For collision resistance — no. MD5 has been collision-broken for two decades and SHA-1 since 2017. Use SHA-256 for any security-relevant hash. MD5 and SHA-1 remain useful for non-cryptographic checks (file de-dupe, ETag, integrity verification of trusted sources).
Why would I need every hash at once?
Most practical reason — comparing against documentation that uses one algorithm while your tool emits another. Many projects publish SHA-256 alongside MD5 as a transition aid; computing both at once removes the conversion friction.
How does file hashing work?
Drag the file in. We read it via the File API, chunk through 16 KB blocks, and feed each block to SubtleCrypto.digest. The browser stays responsive throughout — even 1 GB videos hash without locking the UI.
What is HMAC?
A keyed hash. Instead of hash(message) you compute hash(secret + message) in a way that resists length-extension attacks. Used everywhere a server needs to verify a request was signed by a party holding the shared secret — webhooks, API auth, cookie signatures.
Why are my SHA-256 results different from <code>shasum</code>?
Almost always a newline difference. echo "hello" appends a newline; echo -n "hello" does not. Paste with the trailing newline if your file has one — match the byte sequence and the hashes will agree.
Are uploads encrypted?
There are no uploads. The file never leaves the browser tab. Open DevTools → Network → confirm: zero requests when you hash. The same is true of HMAC mode and string mode.

Related tools

Last updated: 2025-01-15