Skip to content

Encoders & Crypto

Hash Generator (SHA-1/256/384/512)

SHA-1, SHA-256, SHA-384, SHA-512 — all in browser.

Runs in your browser

From plain text to a fixed-length fingerprint.

0 / 1024 characters

Hashes run in your browser via the Web Crypto API. Same input, same digest — by design, every time.

Understanding hashing

A one-way fingerprint.

Same input, same digest. Different input, different digest. No way to run it backwards.

What a hash is.

A cryptographic hash is a function that takes any number of bytes and returns a fixed-length number — for SHA-256, exactly 256 bits, written as a 64-character hex string. The function is deterministic (same input always yields the same digest) and one-way (given the digest, you cannot recover the input short of guessing). Change a single bit in the input and the digest looks completely different.

hash("Hello") ≠ hash("hello")

The four properties that matter.

A good cryptographic hash function is deterministic (same input, same output), fast to compute (so checking lots of data is cheap), preimage-resistant (given a digest, finding any input that produces it is hard), and collision-resistant (finding two different inputs with the same digest is also hard). MD5 lost collision-resistance in 2004. SHA-1 lost it in 2017. Both are now considered broken for security purposes, though MD5 remains useful for non-security checksums.

SHA-1, SHA-256, SHA-512.

The numbers are output bit lengths. SHA-1 is 160 bits and considered cryptographically broken; you'll still see it for Git commit IDs and other non-security uses. SHA-256 is the modern default — fast on most CPUs, used for TLS certificates, Bitcoin's proof-of-work, file integrity. SHA-512 is the same family with a wider state and is faster on 64-bit hardware. For almost every use today, SHA-256 is the right choice unless someone tells you otherwise.

Hashing passwords is different.

A general-purpose hash is fast — billions of attempts per second on a modern GPU. That's a problem for passwords, where you want each guess to be expensive. Password hashing functions (bcrypt, scrypt, Argon2) are deliberately slow and tunable: you can dial them up so a single hash takes a tenth of a second. Use them, not SHA-256, for storing passwords.

Hashing vs encryption.

Encryption is reversible — given the ciphertext and the key, you can recover the original message. Hashing is not — there's no key, and there's no path back. If anyone tells you they "decrypted a SHA-256 hash," they either guessed the input from a dictionary or they're confused. The set of inputs that map to a given hash is, in practice, infinite; no key would help.

Why digests look random.

Good cryptographic hashes are designed to behave like random functions: every output bit depends on every input bit, and flipping one bit of input flips, on average, half the output bits. The avalanche, as it's called, is what makes digests useful for spotting tampering — even a single-character difference produces a wildly different digest, so any drift in the original payload is obvious.

Read next

Frequently asked questions

Quick answers.

Which hash algorithms are supported?

SHA-1, SHA-256, SHA-384 and SHA-512 via the Web Crypto API. MD5 is intentionally omitted — it's broken for security use.

Is my input sent anywhere?

No. Hashing runs in your browser using the native Web Crypto API.

Why no MD5?

MD5 has been cryptographically broken since 2004 — collisions can be generated trivially. Use SHA-256 or stronger.

What about SHA-3?

SHA-3 isn't available in the Web Crypto API yet. SHA-256 is still the standard recommendation for new projects.

Are hashes reversible?

No — that's the point. Hashes are one-way. To 'crack' a hash you'd need to brute-force the input, which is infeasible for strong inputs.

Is the generator free?

Yes — fully free, no signup.

People also search for

Related reading

From the blog.(3)

Use with

What people reach for next.

Related tools

More in this room.

See all in Encoders & Crypto