Hash Generator & Toolkit
Hashes with MD5
Hash text live with MD5, SHA-1, SHA-256, SHA-512, SHA-3 and BLAKE2 all at once — plus drag-and-drop file hashing, HMAC, checksum verification, compare, batch, hash identification, an avalanche visualizer, code snippets and a free API. Everything runs in your browser; nothing is uploaded.
b10a8db164e0754105b7a99be72e3fe50a4d55a8d778e5022fab701977c5d840bbc486d0c4890faffdb0105d991a461e668e276685401b02eab1ef4372795047a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e99514329186b2f6ae4a1329e7ee6c610a729636335174ac6b740f9028396fcc803d0e93863a7c3d90f86beee782f4f3f2c74fd17edafd80e8447b0d46741ee243b7eb74dd2149a0ab1b9246fb30382f27e853d8585719e0e67cbda0daa8f51671064615d645ae27acb15bfb1447f459be167f68d6563d75bb25f3aa49c29ef612d41352dc00606de7cbd630bb2665f513d58a719c6866b0214f96b0a67b37e51a91e233ce0be126a08f35fdf4c043c6126f40139bfbc338d44eb2a03de9f7bb8eff0ac260b3629811e389a5fbee8a8944386a08a265111c9896f56456e2cb61a64239115c4784cf438e36cc851221972da3fb0115f73cd02486254001f878ab1fd126aac69844ef1c1ca152379d0a9bd7706af019148849e516f95ba630307a2018bb7bf03803eca5ed7ed2c3c0135134a17b156Hash generator — key facts
- Algorithms
- MD5, SHA-1/224/256/384/512, SHA3, BLAKE2, CRC32
- Safe default
- SHA-256 (or SHA-512 / BLAKE2)
- Avoid for security
- MD5 & SHA-1 (broken)
- File hashing
- Drag-drop → MD5/SHA-1/SHA-256/SHA-512
- HMAC
- Keyed auth: HMAC-SHA256 / SHA512
- Passwords
- Use bcrypt/Argon2/scrypt/PBKDF2 — not plain hashes
- API
- GET/POST /hub/api/hash
- Privacy
- 100% in-browser, nothing uploaded
Hash algorithm comparison
| Algorithm | Secure | Speed | Bits | Collision risk |
|---|---|---|---|---|
| MD5 | ❌ | Fast | 128 | High (broken) |
| SHA-1 | ⚠️ | Fast | 160 | Medium (broken) |
| SHA-256 | ✅ | Medium | 256 | Very low |
| SHA-512 | ✅ | Fast (64-bit) | 512 | Very low |
| SHA3-256 | ✅ | Medium | 256 | Very low |
| BLAKE2b | ✅ | Very fast | 512 | Very low |
| CRC32 | ❌ | Very fast | 32 | N/A (checksum) |
MD5 generator
Instantly compute the 128-bit MD5 of any text or file. Great as a fast checksum for spotting accidental corruption — but never for security, since MD5 is broken.
SHA-256 generator
The industry-standard 256-bit hash, used for checksums, digital signatures, blockchains and certificates. Type text for a live SHA-256, or drop a file.
SHA-512 generator
A 512-bit SHA-2 hash that's actually faster than SHA-256 on 64-bit machines — ideal where a longer digest is wanted.
File hash & checksum
Verify downloads, ISOs and backups: drag a file to get its MD5, SHA-1, SHA-256 and SHA-512 checksums, computed locally.
HMAC generator
Produce HMAC-SHA256 or HMAC-SHA512 from a message and secret key — exactly what API webhook signatures and request signing need.
Hash identifier
Not sure what a hash is? Paste it and we infer the likely algorithm from its length and character set.
PBKDF2 password hashing
Derive a slow, salted password key with PBKDF2-HMAC-SHA256 — adjustable salt, iterations and key length, with a storable encoded output. Use bcrypt/Argon2/scrypt server-side too.
Free Hash API
No key, no sign-up, CORS-enabled. Omit algo to get every algorithm at once.
# one algorithm
GET /hub/api/hash?text=Hello%20World&algo=sha256
→ { "algorithm": "SHA256", "hash": "a591a6d40bf4..." }
# every algorithm
GET /hub/api/hash?text=Hello%20World
→ { "hashes": { "md5": "...", "sha256": "...", ... } }
# POST
POST /hub/api/hash { "text": "Hello World", "algo": "sha512" }What is a hash function?
A hash function turns any input — a word, a password, a multi-gigabyte file — into a fixed-size string called a digest or checksum. The same input always yields the same digest, but you can't reverse a digest back into the input, and even a one-character change produces a completely different result (the avalanche effect). That makes hashes ideal for verifying file integrity, indexing data, and underpinning digital signatures and blockchains.
Not all hashes are equal. MD5 and SHA-1 are broken — attackers can craft collisions — so today you should reach for SHA-256, SHA-512, SHA-3 or BLAKE2. And passwords need a deliberately slow, salted hash (bcrypt, Argon2, scrypt or PBKDF2), never a plain fast hash.
Frequently Asked Questions
Is MD5 secure?+
No. MD5 is cryptographically broken — practical collisions can be produced in seconds — so it must never be used for passwords, signatures or security. It is still fine as a fast, non-security checksum (e.g. detecting accidental file corruption). For security use SHA-256, SHA-512, SHA-3 or BLAKE2.
What is the difference between MD5 and SHA-256?+
MD5 produces a 128-bit digest and is broken; SHA-256 produces a 256-bit digest and is the current industry standard with no practical collisions. SHA-256 is the safe default for checksums and signatures; MD5 should only be used for non-security error-checking.
Should I use SHA-256 or SHA-512?+
Both are secure. SHA-512 has a larger digest and is actually faster on 64-bit CPUs, while SHA-256 produces shorter hashes and is more widely supported. For most web and API work SHA-256 is the standard choice.
How do I generate a hash of a file?+
Open the File tab and drag-and-drop your file (or click to choose). It computes MD5, SHA-1, SHA-256 and SHA-512 locally in your browser — nothing is uploaded — so you can verify software downloads, ISOs and backups.
How do I verify a file against a checksum?+
Use the Verify tab: paste the expected hash published by the vendor, then drop the file. The tool reports ✓ Match or ✗ Doesn't match and tells you which algorithm matched.
What is HMAC and when do I need it?+
HMAC (Hash-based Message Authentication Code) combines a secret key with a hash to authenticate a message — proving it came from someone who knows the key and wasn't tampered with. API providers use HMAC-SHA256 for webhook signatures and request signing.
Can you identify which hash algorithm a string is?+
Partly — the Identify tab infers likely algorithms from the hash length and character set (e.g. 32 hex chars ⇒ MD5, 64 ⇒ SHA-256/SHA3-256/BLAKE2s). Length alone can't distinguish algorithms that share a digest size, so it returns the most likely candidates.
What is the avalanche effect?+
A good hash changes drastically when the input changes even slightly — flipping one input bit should flip about half the output bits. The Avalanche tab visualises this: edit one character and watch ~50% of the hash digits change.
Are my text and files kept private?+
Yes. All hashing runs locally with the browser's Web Crypto API and pure-JS algorithms. Your text and files never leave your device.
How should I hash passwords?+
Never with a plain fast hash like MD5 or SHA-256 — use a slow, salted password hash: bcrypt, scrypt, Argon2 or PBKDF2 with a high iteration count, run on your server. The strength analyzer here flags fast hashes as unsuitable for passwords.
How do I hash a password with PBKDF2?+
Open the Password tab, enter the password, generate a unique random salt, choose a hash (SHA-256), set a high iteration count, and click Derive key. It returns the derived key plus a storable encoded string (pbkdf2_sha256$iterations$salt$hash). In production, do this on your server and store the salt + iterations alongside the hash.
How many PBKDF2 iterations should I use?+
Follow current OWASP guidance: roughly 600,000 iterations for PBKDF2-HMAC-SHA256 (or 210,000 for SHA-512) as of the mid-2020s. More is safer but slower; tune so a single derivation takes a few hundred milliseconds on your server. The Password tab offers 10k–600k presets.
PBKDF2 vs bcrypt vs Argon2 — which is best?+
All are slow, salted password KDFs. Argon2id is the modern recommendation (memory-hard, resists GPU/ASIC attacks); bcrypt is a battle-tested default; PBKDF2 is FIPS-approved and built into every platform (and this tool). scrypt is also memory-hard. Any of them, with a strong cost factor, beats a plain hash.
What salt length should I use?+
At least 16 bytes (128 bits) of cryptographically-random data, unique per password. The Password tab's random-salt button generates a fresh salt; store it (it isn't secret) so you can re-derive and compare on login.
Can I generate all hashes at once?+
Yes — that's the default. As you type, MD5, SHA-1, SHA-224/256/384/512, SHA3-256/512, BLAKE2b/2s and CRC32 are all computed simultaneously, so you never have to switch algorithms. Copy any one, or output in Hex, Base64 or Binary.
What text encoding does the hash use?+
Text is hashed as UTF-8 bytes, which matches the default in Node.js, Python (str.encode()), PHP and most platforms — so the digests here equal what your code produces. Files are hashed byte-for-byte exactly as stored.
How large a file can I hash, and is it uploaded?+
Any size your browser can read, and nothing is uploaded — files are hashed locally. SHA-1/256/384/512 use the native Web Crypto API for speed; MD5 uses a fast pure-JS implementation. Ideal for verifying multi-gigabyte ISOs and downloads.
Can I compare two hashes or verify a download?+
Yes. The Compare tab tells you if two hashes are identical and where they first differ; the Verify tab checks a file or text against an expected hash and reports ✓ Match / ✗ Doesn't match plus which algorithm matched.