Hash Generator
Generate cryptographic hashes from text or any file. Supports MD5, SHA-1, SHA-256, SHA-384 and SHA-512. SHA variants use the browser's native Web Crypto API. Everything runs in your browser — nothing is sent to any server.
Enter a known hash above — matching algorithm will show Match.
Enter a secret key above to compute HMAC — used for API signatures, webhooks (GitHub, Stripe) and message authentication.
Related Tools
Frequently Asked Questions
What is the difference between MD5 and SHA-256 output, and why does MD5 still appear in developer tools?▾
MD5 produces a 128-bit hash displayed as 32 hexadecimal characters; SHA-256 produces a 256-bit hash as 64 hex characters. MD5 has known practical collision vulnerabilities — researchers demonstrated collisions in 2004, and the Flame malware exploited MD5 in 2012 to forge Microsoft certificates — making it cryptographically broken for security use. MD5 persists in developer tools because it remains useful for non-security checksums (quick file deduplication, cache busting, non-critical integrity checks) where speed matters and collision attacks are not a concern.
Is hashing reversible? What do online 'MD5 decryptors' actually do?▾
No — hash functions are one-way by design. There is no mathematical inverse to recover the original input from a hash. What 'MD5 decryptors' online actually do is query rainbow tables or precomputed databases of hashes for common strings. If your input was a short or common string, it may appear in those databases. Truly random or long inputs cannot be reversed. This is why hashing is unsuitable for passwords unless combined with a salt and a slow key-derivation function like bcrypt, scrypt, or Argon2.
What does HMAC-SHA256 do that plain SHA-256 doesn't?▾
Plain SHA-256 just hashes the data — anyone can recompute the same hash if they have the input. HMAC (Hash-based Message Authentication Code) incorporates a secret key into the hash computation. The result can only be reproduced by someone who knows the key, providing both integrity and authenticity. Use HMAC-SHA256 for API request signing, webhook payload verification (GitHub and Stripe both use it), and message authentication — anywhere you need to prove the hash came from a party holding the secret.
Why do SHA-256 hashes of the same file sometimes differ between tools?▾
The hash of identical binary content is always identical — if two tools produce different hashes, the inputs actually differ. Common causes: line ending normalization (a tool converting \r\n to \n before hashing), character encoding differences (UTF-8 vs UTF-16 BOM prepended), leading/trailing whitespace added by a text input field, or the tool hashing the string representation rather than raw bytes. For file integrity verification, always hash the raw binary, not a text copy.
What is the difference between SHA-256 and SHA-3, and should I prefer one?▾
SHA-256 belongs to the SHA-2 family (designed by the NSA, standardized in 2001); SHA-3 (Keccak, standardized by NIST in 2015) uses a fundamentally different sponge construction. SHA-256 has no known practical weaknesses and has a vastly larger ecosystem of library and hardware support. SHA-3 was standardized as a backup should weaknesses be found in SHA-2 — not because SHA-2 is broken. For practical use today, SHA-256 is the correct default.