Hash Generator — Generate SHA-256, SHA-512 & More Online
Paste any text and get its SHA-1, SHA-256, SHA-384, and SHA-512 hash instantly. Uses the Web Crypto API — your data stays in your browser, nothing hits a server. Useful for file integrity checks, password storage verification, and API signature debugging.
Generate MD5, SHA-1, SHA-256 hash values
Enter text to hash
Generate MD5, SHA-1, SHA-256 hash values
SHA-1
160 bits
SHA-256
256 bits
SHA-384
384 bits
SHA-512
512 bits
Generate hash values (MD5, SHA-1, SHA-256)
What Hashing Actually Does
A hash function takes any input — a single character or a 10GB file — and produces a fixed-length output (the "digest"). SHA-256 always outputs 64 hex characters regardless of input size. The same input always gives the same hash, but change one bit and the output is completely different. That's the "avalanche effect."
Critical property: hashing is one-way. You can't reverse a SHA-256 hash to get the original input. This is what makes it useful for password storage — you store the hash, not the password. When a user logs in, you hash their input and compare hashes.
SHA-256 is part of the SHA-2 family, defined in FIPS 180-4 (published by NIST). It's used in Bitcoin mining, TLS certificates, Git commit IDs, and most API signature schemes. SHA-1 is deprecated for security (collision found in 2017 by Google's SHAttered project) but still used for non-security checksums like Git object hashes.
How to Use
- Paste or type your text in the input field.
- All hash algorithms compute simultaneously — no need to pick one first.
- Copy whichever hash you need with one click.
- For file hashing, paste the file content or use a CLI tool like sha256sum.
When You'll Use This
Verifying file integrity after download
Downloaded an ISO or binary? The publisher lists a SHA-256 hash. Paste the file content here (or use sha256sum on CLI) and compare. If hashes match, the file wasn't corrupted or tampered with during transfer.
Debugging API signature generation
Many APIs (AWS, Stripe, webhooks) require HMAC-SHA256 signatures. When your signature doesn't match, paste the string-to-sign here to verify your intermediate hash values step by step.
Checking if a password appears in breach databases
HaveIBeenPwned's API uses SHA-1 prefix matching (k-anonymity). Hash your password with SHA-1, send the first 5 characters to their API, and check if the full hash appears in the response. This tool gives you the SHA-1 to start with.
Generating deterministic IDs from content
Need a unique ID for a piece of content that's the same every time? Hash the content with SHA-256. Same content = same hash = same ID. Used in content-addressable storage, cache keys, and deduplication.
Things to Know
Never use plain hashes for password storage
SHA-256 is fast — that's bad for passwords. An attacker with a GPU can try billions of SHA-256 hashes per second. Use bcrypt, scrypt, or Argon2 for passwords — they're intentionally slow (100ms+ per hash) to make brute-force impractical.
SHA-1 is broken for security, fine for checksums
Google demonstrated a SHA-1 collision in 2017 (SHAttered). Don't use SHA-1 for digital signatures or certificates. But for non-security uses like Git object IDs or cache invalidation, it's still fine — nobody's spending $100K to forge your cache key.
Same input = same hash, always
Hashes are deterministic. If you hash "hello" with SHA-256 today and in 10 years, you get the same output. This is what makes them useful for verification. But it also means identical passwords produce identical hashes — that's why you add a random salt before hashing passwords.
Hash length doesn't equal security level
SHA-256 outputs 256 bits but provides 128 bits of collision resistance (birthday attack). SHA-512 outputs 512 bits with 256 bits of collision resistance. For most applications, SHA-256 is more than sufficient.
Examples
SHA-256 of a simple string
The classic test — hash the word "hello" to verify your implementation matches.
Input
helloOutput
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824One character change = completely different hash
Demonstrates the avalanche effect — "hello" vs "Hello" (capital H).
Input
HelloOutput
185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969Features
- Computes SHA-1, SHA-256, SHA-384, SHA-512 simultaneously
- Uses Web Crypto API — cryptographically correct implementation
- Results appear as you type — no button click needed
- One-click copy for each algorithm's output
- Runs 100% in your browser — zero network requests
- Free, no signup, no tracking
Frequently Asked Questions
Can I "decrypt" or reverse a hash?
No. Hash functions are mathematically one-way. You cannot compute the input from the output. The only way to "crack" a hash is to guess inputs until one matches (brute force) or use precomputed tables (rainbow tables). That's why long, random passwords are important.
Which algorithm should I use — SHA-256 or SHA-512?
For most purposes, SHA-256 is fine. SHA-512 is slightly faster on 64-bit systems and produces a longer hash, but both provide more than enough security. Use SHA-256 unless you have a specific reason for SHA-512 (like matching an existing system's requirements).
Why shouldn't I use SHA-256 directly for password hashing?
Because it's too fast. A modern GPU can compute ~10 billion SHA-256 hashes per second. An 8-character password has ~6 × 10^15 combinations — crackable in ~7 days. bcrypt/Argon2 are intentionally slow (~100ms per hash), making the same attack take thousands of years.
What's the difference between hashing and encryption?
Encryption is reversible (with the key). Hashing is not. Encryption: plaintext → ciphertext → plaintext. Hashing: input → hash (no way back). Use encryption when you need to recover the original data. Use hashing when you only need to verify data matches without storing the original.
Is SHA-1 still safe to use?
For security (signatures, certificates): no. A collision attack was demonstrated in 2017. For non-security uses (checksums, cache keys, Git): yes, it's fine. The attack costs ~$100K in compute and requires a very specific scenario that doesn't apply to casual checksum use.
Tips & Related Workflows
- Generate secure passwords to hash and store with our Password Generator.
- Create unique identifiers alongside your hashes with our UUID Generator.
- Encode hash output for safe URL transmission with our Base64 Encoder/Decoder.
- Format JSON containing hash values with our JSON Formatter.