A hash is a fixed-length fingerprint of any input. Type a string here and this tool computes its MD5, SHA-1, SHA-256, SHA-384, and SHA-512 digests instantly, all in your browser. Developers use hashes to verify data integrity, generate cache keys and ETags, deduplicate content, and match checksums published alongside downloads.
How it works
The tool encodes your text as UTF-8 bytes and feeds them to two engines:
- SHA-1, SHA-256, SHA-384, SHA-512 are computed with the browser’s native
crypto.subtle.digest, the same audited implementation used for TLS and Web Crypto. The result is rendered as a lowercase hex string. - MD5 is not part of SubtleCrypto, so it is computed with a compact, correct JavaScript implementation of the RFC 1321 algorithm — the same 128-bit digest produced by
md5sum.
Because every algorithm is deterministic, the same text always yields the same digest, which is exactly what makes hashes useful for comparison and verification.
Output lengths at a glance
| Algorithm | Output (hex chars) | Bits |
|---|---|---|
| MD5 | 32 | 128 |
| SHA-1 | 40 | 160 |
| SHA-256 | 64 | 256 |
| SHA-384 | 96 | 384 |
| SHA-512 | 128 | 512 |
Common real-world uses
Data integrity verification. Software publishers post a SHA-256 checksum alongside download links. After downloading the file, you hash it and compare — if the digests match, the file wasn’t corrupted or tampered with in transit. This tool is for text hashing; file hashing requires reading raw bytes, which browsers handle with the FileReader API separately.
Cache keys and ETags. Web servers generate an ETag (entity tag) from the SHA of a resource’s content. When the content changes, the SHA changes, and browsers know to re-fetch. Developers paste response bodies here to quickly confirm what the hash would be.
Deduplication. Hashing a text block before storing it lets you check a lookup table for an existing identical record without comparing every character of every stored item. SHA-256 is the standard choice for this: its collision resistance in practice is considered extremely strong.
Matching published checksums. Open-source packages on npm, PyPI, and GitHub releases publish SHA-512 digests. You can verify a package’s README or changelog text hasn’t changed by hashing it here and comparing.
Content-addressed identifiers. Git identifies every commit, tree, and blob by its SHA-1 hash of the content. While Git is moving toward SHA-256 for new repositories, older repos still use SHA-1 — paste a Git object body here to understand how the address is derived.
Which algorithm should you use?
- SHA-256 — correct choice for almost all modern use: checksums, API signatures, certificate fingerprints. 64-character hex digest.
- SHA-512 — preferred when you want extra margin; commonly used by password-hashing schemes as an internal primitive and in some signing protocols.
- SHA-384 — used in TLS 1.3 cipher suites; rarely needed outside that context.
- SHA-1 — only for Git compatibility or legacy systems. Collision attacks exist in theory and in practice; do not use for security.
- MD5 — useful only for non-security checksums and legacy interoperability. Broken for any adversarial context.
Security notes
- MD5 and SHA-1 are cryptographically broken for collision resistance — never use them to verify untrusted data or to protect passwords.
- Hashing a password directly (even with SHA-256) is not secure storage. Use a slow, salted algorithm — bcrypt, scrypt, or Argon2 — on the server. This tool is for hashing arbitrary text strings, not for storing credentials.
- Nothing you type here is transmitted anywhere. All hashing runs in your browser using the SubtleCrypto API and a local MD5 implementation.