Cryptographic Hash Generator
This tool generates cryptographic hashes from text or file input directly in your browser. Enter a string or upload a file, select a hash algorithm (MD5, SHA-1, SHA-256, SHA-384, SHA-512, or HMAC variants), and get the hash output instantly. No data is sent to a server. Your input text, file contents, and secret keys stay on your device. The tool is free, requires no account, and works offline after the page loads.
Hash results
Enter text or select algorithms to see digests.
Compare hashes
How this tool works
The hash generator computes cryptographic digests of any text or file input using five algorithms simultaneously: MD5, SHA-1, SHA-256, SHA-384, and SHA-512. All hashing runs client-side using the browser's native SubtleCrypto API for SHA algorithms and a JavaScript fallback for MD5, so input data never leaves your device. MD5 and SHA-1 are shown for legacy compatibility and checksum verification only because both are cryptographically broken and must not be used for security-sensitive purposes like password hashing or digital signatures. SHA-256 is the current standard for checksum verification and general-purpose integrity checks; SHA-512 provides a wider digest for applications requiring higher collision resistance. For file inputs, the tool reads the file as an ArrayBuffer and hashes the raw bytes, producing the same digest as openssl dgst or shasum on the command line. Key assumption: hash functions are deterministic: identical inputs always produce identical outputs. If your computed hash does not match an expected value, the most common cause is a character encoding mismatch (UTF-8 vs UTF-16) or an invisible trailing newline in the text input. Edge case: a file with Windows line endings (CRLF) produces a different hash than the same file with Unix line endings (LF). Normalize line endings before hashing if cross-platform consistency matters.
Worked example
SHA-256 of "hello" is 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824. MD5 of "test" is 098f6bcd4621d373cade4e832627b4f6. HMAC-SHA256 with a 20-byte key of 0x0b and message "Hi There" matches the RFC 4231 test vector.
Related tools
Frequently asked questions
Is my input sent to a server?
No. All hashing runs in your browser using the Web Crypto API, which is a native browser feature and not a third-party service. There is no network request. You can verify this with your browser's DevTools Network tab. This is why you can safely hash passwords, API keys, file contents, and secret messages.
What is the difference between MD5 and SHA-256?
MD5 produces a 128-bit digest and is fast but cryptographically broken: collision attacks are practical, meaning two different inputs can be engineered to produce the same MD5 hash. SHA-256 produces a 256-bit digest and is currently considered secure for collision resistance. Use SHA-256 or stronger for any security-sensitive purpose. MD5 is acceptable for checksums where intentional tampering is not a concern.
What is an HMAC and when should I use it?
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key. The result proves both that the message was not tampered with and that the sender knew the secret key. Use HMAC when you need to authenticate the origin of a message, such as when signing API requests, generating webhook signatures, or creating signed cookies. A plain hash without a key proves content integrity but not origin.
What encoding should I use for the hash output?
Hexadecimal is the default and is the most common format for displaying hashes in documentation, logs, and checksums. Base64 uses fewer characters (SHA-256 in base64 is 44 characters vs. 64 in hex) and is the standard format for HMAC values in HTTP headers and JWTs. Most API signature schemes specify which encoding they expect.
Why does the same input sometimes produce different hashes on different tools?
The most common cause is encoding. If one tool treats the input as UTF-8 and another as Latin-1, they are hashing different byte sequences. Another common cause is trailing newlines: some tools append a newline character to the input before hashing (as command-line tools like echo do by default), while others do not. This tool hashes exactly what you type with no added characters, and lets you optionally append a newline to match command-line tool behavior.
What is bcrypt and why is it different from SHA-256?
bcrypt is a password hashing function, not a general-purpose hash. It is intentionally slow (the work factor is adjustable) to make brute-force attacks expensive. SHA-256 is designed to be fast, which makes it unsuitable for storing passwords: an attacker with a GPU can test billions of SHA-256 hashes per second. For password storage, always use bcrypt, Argon2, or scrypt. This tool supports bcrypt for educational and verification purposes.