Generate MD5, SHA-1, SHA-256, SHA-512 hashes — text, files, HMAC. Private & instant.
128-bit (32 hex chars). Very fast. Still widely used for file integrity checks and checksums where security is not required. Never use for passwords or digital signatures — collision attacks have been demonstrated since 2004.
160-bit (40 hex chars). Deprecated by NIST in 2011. Practical collision attacks were demonstrated in 2017 (SHAttered). Avoid for new code — use SHA-256 or better.
256-bit (64 hex chars). Part of the SHA-2 family. Currently considered secure and widely used: TLS certificates, code signing, Bitcoin, JWTs. Use for any security-critical application.
512-bit (128 hex chars). Stronger than SHA-256, performs better on 64-bit CPUs. Use when maximum security margin is required, such as long-term file archiving or high-security key derivation.
Hash-based Message Authentication Code. Combines a secret key with a hash function to prove both data integrity and authenticity. Used in JWT signatures, AWS request signing, API authentication, and webhook verification.
Hash any file to verify integrity. Compare the hash before and after transfer, or against a published checksum, to confirm the file hasn't been modified or corrupted. Uses the FileReader API — nothing is uploaded.
// SHA-256 via SubtleCrypto
const buf = await crypto.subtle.digest(
'SHA-256',
new TextEncoder().encode(text)
);
const hex = [...new Uint8Array(buf)]
.map(b => b.toString(16).padStart(2,'0'))
.join('');
// Node.js
const { createHash } = require('crypto');
createHash('sha256').update(text).digest('hex');import hashlib
# SHA-256
hashlib.sha256(b'hello').hexdigest()
# MD5
hashlib.md5(b'hello').hexdigest()
# HMAC-SHA256
import hmac
hmac.new(key.encode(), msg.encode(),
hashlib.sha256).hexdigest()
# File hash
with open('file', 'rb') as f:
hashlib.sha256(f.read()).hexdigest()// Go
import "crypto/sha256"
import "fmt"
h := sha256.Sum256([]byte("hello"))
fmt.Sprintf("%x", h)
// HMAC
import "crypto/hmac"
mac := hmac.New(sha256.New, key)
mac.Write(message)
hex.EncodeToString(mac.Sum(nil))
// PHP
hash('sha256', 'hello');
hash_hmac('sha256', $msg, $key);A hash function takes any input (text, file, binary data) and produces a fixed-size output called a digest or hash. Key properties: it is deterministic (same input always gives same output), one-way (you cannot reverse a hash to recover the input), and collision-resistant (it is computationally infeasible to find two different inputs that produce the same hash). These properties make hashes useful for verifying integrity, storing passwords, and digital signatures.
MD5 (128-bit) and SHA-1 (160-bit) are fast but cryptographically broken — real-world collision attacks exist for both. They are still safe for non-security uses like file checksums and cache keys. SHA-256 (256-bit) is the current standard for security-critical applications. SHA-512 (512-bit) provides a larger security margin and is faster on 64-bit systems. For new code: use SHA-256 minimum, SHA-512 for maximum security.
Yes — this is one of the most common uses of hashing. Switch to File Hash mode, drop your file, and compare the SHA-256 or MD5 hash with the checksum published by the software distributor. If the hashes match, the file has not been modified or corrupted. Even a single changed bit in the file produces a completely different hash.
HMAC (Hash-based Message Authentication Code) combines a secret key with a hash function. While a plain hash verifies data integrity, HMAC also verifies authenticity — only someone with the secret key can produce the correct HMAC. Use it for: webhook verification (compare the HMAC of the request body against the signature header), JWT signing with HS256/HS512, API request signing (like AWS Signature v4), and session token validation.
No. SHA-256 is too fast for password hashing — attackers can compute billions of SHA-256 hashes per second on a GPU. For passwords, use purpose-built slow algorithms: bcrypt, Argon2, or scrypt. These are deliberately slow and use memory-hard computations to resist brute-force and GPU attacks. Most frameworks have these built in — never implement password hashing manually.
Yes. SHA hashing uses the browser's built-in SubtleCrypto API. MD5 uses a pure JavaScript implementation. Nothing is sent to any server. File hashing reads the file locally via FileReader — the file never leaves your device. Safe for hashing sensitive files, API keys, and secrets. Verify by opening DevTools → Network tab while hashing: you will see zero outbound requests.