Can I use this to store passwords?

No. SHA algorithms are fast by design, which makes them unsuitable for password storage. For passwords, use dedicated algorithms like bcrypt, scrypt, or Argon2.

Hash Generator — SHA-1/256/384/512 + File Drag-Drop + Compare

How the Hash Generator Works

Type or paste any text into the input field. The tool automatically computes SHA-1, SHA-256, and SHA-512 hashes simultaneously using the Web Crypto API built into your browser. No server requests are made — everything runs locally.

Each hash is displayed in hexadecimal format. Click the Copy button next to any hash to copy it to your clipboard. SHA-256 is the most widely used algorithm for checksums and data integrity verification.

What Are Hash Functions?

A hash function is a mathematical algorithm that takes any input — a word, a file, an entire database — and produces a fixed-length string called a hash, digest, or checksum. No matter how large the input, the output is always the same length: SHA-256 always produces 64 hexadecimal characters, SHA-512 always produces 128. That fixed-length output is what makes hash functions so useful any time you need a compact, unique fingerprint of a piece of data.

Hash functions have three key properties that make them cryptographically useful. First, they're deterministic: the same input always produces the exact same output, every single time. Second, they're one-way: given a hash, it's computationally infeasible to reconstruct the original input — that's what makes them useful for security. Third, they have the avalanche effect: changing even a single character in the input produces a completely different hash output. Try typing 'Hello' and 'hello' and compare the SHA-256 results — they'll share almost no characters despite differing by only one letter's case.

The SHA (Secure Hash Algorithm) family was developed by the US National Security Agency and published by NIST. SHA-1 (1995) produces 160-bit digests and is now deprecated for security use — researchers demonstrated collision attacks in 2017. SHA-2 (2001), which includes SHA-256 and SHA-512, remains the current standard for most security applications. SHA-3 (2015) uses a completely different internal design (Keccak sponge construction) and provides a fallback if SHA-2 were ever compromised. MD5 isn't part of the SHA family but you'll encounter it constantly: it produces 128-bit hashes and was once dominant, but it's now considered broken for security purposes and should only be used for non-security checksums.

When to Use Different Hash Algorithms

MD5 — Use only for non-security file integrity checks where speed matters and collision resistance is not required, such as verifying a downloaded file against a known checksum published by the vendor. MD5 is fast and widely supported. Never use it for passwords, digital signatures, or any security-critical purpose — collision attacks have been demonstrated and practical exploits exist.
SHA-256 — The current general-purpose standard for security applications. Use it for digital signatures, TLS/SSL certificates, code signing, data integrity verification in software distribution, and blockchain applications (Bitcoin uses SHA-256 for its proof-of-work). It is the most widely deployed hash algorithm in the world and has no known practical vulnerabilities.
SHA-512 — Preferred for high-security applications and government systems where maximum bit strength is required. SHA-512 processes data in 1024-bit blocks (versus 512-bit for SHA-256) and is actually faster than SHA-256 on 64-bit processors due to its internal design. It is commonly used in high-value PKI systems, secure document signing, and financial cryptography.
HMAC (Hash-based Message Authentication Code) — When you need to verify both data integrity and authenticity, combine any hash algorithm with a secret key using HMAC. HMAC-SHA256 is used in JWT tokens, API authentication (AWS, Stripe, and most modern APIs use HMAC signatures), and webhook verification. A plain hash proves the data hasn't changed; an HMAC proves it came from someone who knows the secret key.

Hash a file without uploading it anywhere

File mode lets you drag-drop any file — or browse for it — and hash its contents via the Web Crypto API, entirely in your browser. The file never leaves your device. You'll see the file size alongside the hashes, which is useful for a quick sanity check (if the size already differs from the expected value, you don't need to compare hashes at all). All four SHA algorithms — SHA-1, SHA-256, SHA-384, and SHA-512 — are computed in parallel, so you get every result at once instead of waiting for each one.

There's also a hash comparison input: paste the expected hash you received from a vendor or a build artifact, and the tool immediately tells you whether it matches and which algorithm it matched against. No manual character-by-character comparison on a 128-character SHA-512 hex string. If you've ever squinted at two hashes trying to spot a single wrong digit, this saves that effort.

Frequently Asked Questions

So what actually is a hash function?

A hash function takes any input and produces a fixed-length string of characters. The same input always produces the same output, but even a tiny change in the input produces a completely different hash. That's what makes hashes useful for verifying data integrity.

What is the difference between SHA-1, SHA-256, and SHA-512?

SHA-1 produces a 160-bit (40 character hex) hash and is considered weak for security-critical uses. SHA-256 produces a 256-bit (64 character hex) hash and is widely used for checksums and certificates. SHA-512 produces a 512-bit (128 character hex) hash offering the highest security.

Can I use SHA hashes to store passwords?

No — SHA algorithms are fast by design, which makes them unsuitable for password storage. An attacker with a GPU can try billions of SHA-256 hashes per second. For passwords, use dedicated algorithms like bcrypt, scrypt, or Argon2 that are intentionally slow and resistant to brute-force attacks.

Is my text sent anywhere?

No. All hashing is performed locally in your browser using the Web Crypto API. Your text never leaves your device.

What is a hash collision and why does it matter?

A hash collision occurs when two different inputs produce the same hash output. Because hash functions compress arbitrary-length inputs to a fixed-length output, collisions are mathematically inevitable — there are more possible inputs than possible outputs. What matters is whether collisions are practically findable. For MD5 and SHA-1, researchers have found methods to deliberately engineer collisions, which is why they are no longer trusted for security. For SHA-256, no practical collision attack exists — the search space is astronomically large at 2^256 possible outputs.

How do I verify a file download using a hash?

Software vendors often publish a SHA-256 checksum alongside download links. After downloading the file, compute its SHA-256 hash (using this tool for text, or a tool like sha256sum on Linux/macOS for binary files) and compare it character-for-character with the published value. If they match, the file is intact and unmodified. If they differ, the file was corrupted during transfer or, in the worst case, tampered with. This is how you verify that a Linux ISO or software package is genuine.

You might also need

See all tools →

Complementary tools based on what you're doing

🔐

Password GeneratorGenerate secure passwords

🛡️

Password Strength CheckerCheck your password strength

🔢

Number Base ConverterConvert number bases

📲

QR Code GeneratorEncode data as QR code