BrowserTools
Advertisement
Home / Encoders / Hash Generator (SHA-1, SHA-256, SHA-384, SHA-512)

Hash Generator (SHA-1, SHA-256, SHA-384, SHA-512)

Compute cryptographic hashes of text or files locally, SHA-1, SHA-256, SHA-384 and SHA-512.

Loading Hash Generator (SHA-1, SHA-256, SHA-384, SHA-512)… If nothing happens, please enable JavaScript.

Frequently asked questions

Is my data uploaded to a server?
No. All hashing is performed locally in your browser using the Web Crypto API, which is built into every modern browser and runs entirely on your device. Your text and files are never transmitted over the network, making this tool safe to use with sensitive or confidential input.
What is the difference between SHA-256, SHA-384, and SHA-512?
All three are part of the SHA-2 family and are considered cryptographically secure. The numbers refer to the output size in bits: SHA-256 produces a 64-character hex digest, SHA-384 produces 96 characters, and SHA-512 produces 128 characters. SHA-256 is the most widely used; SHA-384 and SHA-512 offer larger security margins and may be required by specific compliance standards or protocols such as TLS 1.3 cipher suites.
When would I use a hash in a real project?
Common uses include generating checksums for file integrity verification (distributing a SHA-256 hash alongside a download), building content-addressable storage systems (like Git), creating cache keys from request parameters, computing HMAC message authentication codes, and implementing data deduplication by comparing hashes rather than full file contents.
Why isn't MD5 available?
MD5 is cryptographically broken: practical collision attacks have been publicly known since 2004, meaning two different inputs can be deliberately crafted to produce the same MD5 hash. The Web Crypto API does not expose MD5 for this reason. If you need to verify an MD5 checksum from a legacy system, use SHA-256 for any new checksums you generate — it is just as fast and dramatically more secure.
Can I hash a file, and is there a size limit?
Yes. Use the file input to select any file; it is read locally via the FileReader API, converted to an ArrayBuffer, and passed directly to the Web Crypto API for hashing. There is no hard size limit imposed by the tool, but very large files (several gigabytes) will consume significant memory and take noticeable time. For production file hashing, command-line utilities like sha256sum on Linux/macOS or Get-FileHash in PowerShell are more suitable.
Does the tool work offline?
Yes. Once the page has loaded, the tool operates entirely offline. The Web Crypto API is a browser-native feature that requires no external library or service. You can bookmark the page and use it without an internet connection as long as the page is cached.
Can I use hash output directly as a password or API key?
A SHA-256 hash of a strong random value makes a reasonable API key or session token, but you should never hash a user-supplied password with a bare SHA function. SHA-256 is extremely fast (billions of hashes per second on modern hardware), which makes brute-forcing guessable passwords trivial. For passwords, always use a slow key-derivation function — bcrypt, scrypt, or Argon2 — that is specifically designed to resist brute-force attacks.
Is SHA-1 still safe to use?
SHA-1 is broken for collision resistance: the SHAttered attack (2017) demonstrated the first practical SHA-1 collision, and a chosen-prefix collision attack was published in 2020. SHA-1 should not be used in any new security application. It is still acceptable for non-security uses like checksums where collision resistance is not required, but SHA-256 is a better choice even there since it has the same performance on modern hardware.
What format is the hash output, and can I convert it to Base64?
The tool outputs hashes in lowercase hexadecimal (0–9, a–f), which is the most common and human-readable format. Some systems — notably JWT and HTTP Digest authentication — expect the hash encoded in Base64 instead. You can copy the hex output into the Base64 encoder on this site after converting the hex to binary, or use a library in your programming language to get the raw bytes and Base64-encode them directly.
What is a 'hash collision' and why does it matter?
A collision occurs when two different inputs produce the same hash output. Because hash functions map an infinite input space to a fixed-size output, collisions must mathematically exist — but for a good hash function they should be impossible to find in practice. When collisions can be deliberately engineered (as with MD5 and SHA-1), an attacker could substitute a malicious file for a legitimate one while keeping the hash the same, undermining integrity checks and digital signatures.

About Hash Generator (SHA-1, SHA-256, SHA-384, SHA-512)

A cryptographic hash function is a mathematical algorithm that takes an input of arbitrary length and produces a fixed-size output — the hash or digest — that appears random but is completely deterministic. The same input always produces the same hash, yet changing even a single bit of the input produces a completely different digest (the avalanche effect). This one-way property means it is computationally infeasible to reverse a hash back to its original input, which makes hash functions foundational to computer security. The SHA (Secure Hash Algorithm) family was designed by the National Security Agency and standardised by NIST: SHA-1 in 1995, SHA-256/384/512 (collectively SHA-2) in 2001.

Hash functions are used everywhere in modern software. Password storage systems hash user passwords with an additional salt so that even if the database is stolen, the plaintext passwords remain unknown. File integrity tools distribute SHA-256 checksums alongside downloads so users can verify that a file has not been tampered with in transit. Git uses SHA-1 (and is migrating to SHA-256) to address every commit, tree, and blob in a repository. Digital certificates, TLS handshakes, HMAC authentication tokens, and code-signing pipelines all depend on SHA-2 hashes. Content delivery networks use hashes for cache keys, and blockchains use them for proof-of-work.

This tool computes SHA-1, SHA-256, SHA-384, and SHA-512 hashes directly in your browser using the Web Crypto API — a native browser interface backed by the operating system's cryptographic library. Because all computation happens on your device, your input text or file is never uploaded to any server, making the tool safe to use with confidential documents, production credentials, or private keys. Results are displayed in lowercase hexadecimal, the most common format, and can be copied with a single click.

Choosing the right algorithm matters. SHA-1 is considered cryptographically broken for collision resistance — two different inputs can be engineered to produce the same SHA-1 hash — and should only be used for legacy interoperability, not new security applications. SHA-256 is the current workhorse standard, widely supported and appropriate for the vast majority of use cases. SHA-384 and SHA-512 offer larger output sizes (and slightly stronger security margins) at the cost of somewhat larger digests. If you need to hash passwords specifically, use a purpose-built password hashing function like bcrypt, scrypt, or Argon2 instead — cryptographic hashes like SHA-256 are intentionally fast, which makes them poor choices for password storage.

The SHA story: from classified origins to global standard

The Secure Hash Algorithm family was developed by the United States National Security Agency (NSA) and standardised by the National Institute of Standards and Technology (NIST). The original SHA (retroactively called SHA-0) was published in 1993, but the NSA withdrew it less than a year later — officially citing a flaw, though the nature of that flaw was classified. SHA-1, its successor, was published in 1995 and went on to become one of the most widely deployed cryptographic algorithms in history, embedded in everything from SSL certificates to Git repositories.

The SHA-2 family (SHA-256, SHA-384, SHA-512) was published in 2001, but adoption was slow because SHA-1 was still considered secure at the time. It took the theoretical break of SHA-1 by Wang Xiaoyun's team in 2005, and the practical SHAttered collision attack in 2017, to finally push the industry toward SHA-2. NIST has also standardised SHA-3 (2015), which is based on a completely different internal structure (the Keccak sponge construction) and serves as a backup in case a fundamental weakness is found in SHA-2.

One fascinating detail: the output of SHA-256 is exactly 256 bits — a number so astronomically large (about 10^77) that the number of possible SHA-256 hashes exceeds the estimated number of atoms in the observable universe. This is why, even with the entire computing power of the world working together, finding a specific SHA-256 input from its hash alone is considered practically impossible for the foreseeable future.

Related tools

Base64 Encoder & Decoder

Encode and decode Base64 text or files locally in your browser.

JWT Decoder

Decode and inspect JSON Web Tokens locally, header, payload and expiry claims.
Advertisement