Hash Generator

Generate cryptographic hashes (MD5, SHA-1, SHA-256, SHA-512, SHA3-256, SHA3-512) from any text. Processing done server-side with PHP.

Input Text

Frequently Asked Questions

A cryptographic hash function takes any input and produces a fixed-size output (the "digest"). It is deterministic (same input → same output), one-way (cannot reverse the hash to get input), and collision-resistant (practically impossible to find two inputs with the same hash). Hashes are used for password storage, data integrity checks, digital signatures, and checksums.

MD5 and SHA-1 are considered cryptographically broken — collisions have been demonstrated. They are still used for non-security checksums (e.g. file integrity) but should never be used for passwords or digital signatures. SHA-256 and SHA-512 (SHA-2 family) and the newer SHA-3 family remain secure for cryptographic purposes.

No — not these general-purpose hashes. Use a purpose-built password hashing algorithm like bcrypt, Argon2, or scrypt which are slow by design and include a salt to resist rainbow table attacks. See the Bcrypt Generator tool.

MD5 (128-bit output) is cryptographically broken — practical collision attacks have been demonstrated since 2004. It should never be used for digital signatures, certificates, or password hashing. SHA-1 (160-bit output) is also considered broken — Google demonstrated a practical collision in 2017 (SHAttered attack) and browsers have deprecated SHA-1 certificates. SHA-256 and SHA-512 (the SHA-2 family) remain secure for all current cryptographic purposes. SHA-3 (Keccak) is the latest standard and is based on a completely different construction (sponge function), providing an algorithmic backup if SHA-2 were ever broken. For non-security checksums (file integrity, deduplication), MD5 and SHA-1 remain usable since preimage resistance is still intact.

Hash functions are designed to be computationally infeasible to reverse — this property is called preimage resistance. A hash function maps an input of arbitrary length to a fixed-size output (e.g. 256 bits for SHA-256). Because the output is smaller than many possible inputs, information is inherently lost — many different inputs could theoretically produce the same hash, making exact reversal logically impossible. Cryptographic hash functions add the additional guarantee that finding any input that produces a given hash output requires brute-force effort proportional to 2ⁿ operations (where n is the output bit length). This is why SHA-256 is considered secure — 2²⁵⁶ operations is beyond any conceivable computing capability.

A rainbow table is a precomputed lookup table that maps common passwords (and their variations) to their hash values. An attacker who obtains a database of unsalted password hashes can look up each hash in a rainbow table and instantly recover the original password — no cracking required. A salt is a random value (typically 16–32 bytes) appended to each password before hashing. Because every password gets a unique salt, rainbow tables become useless — an attacker would need to precompute a separate table for every possible salt. This is why modern password hashing algorithms like bcrypt, Argon2, and scrypt automatically generate and store a random salt with each hash.

A hash collision occurs when two different inputs produce the same hash output. By the pigeonhole principle, collisions must exist in any hash function (infinite inputs, finite output space), but a secure hash function should make finding collisions computationally infeasible. MD5 collisions can be generated in seconds on a modern computer — this was demonstrated as early as 2004, and practical exploit scenarios (such as creating two PDFs with the same MD5 hash but different content) have been shown. SHA-1 collisions were demonstrated by Google in 2017 at significant but feasible cost. A collision attack is catastrophic for digital signatures and certificates because an attacker could get a legitimate cert signed for one document and fraudulently apply it to a different one.

File integrity verification works by computing the hash of a file and comparing it to a known-good checksum published by the file's distributor. If even a single bit in the file has changed (corruption or tampering), the hash will be completely different. Common examples: Linux distributions publish SHA-256 checksums for ISO downloads; package managers like apt, npm, and pip verify package hashes before installation; and Git uses SHA-1 (moving to SHA-256) to identify every commit, tree, and blob. To verify a file manually: sha256sum downloaded-file.iso on Linux/macOS, or Get-FileHash downloaded-file.iso -Algorithm SHA256 in PowerShell, then compare the output to the published checksum.

HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to produce a message authentication code. Unlike a plain hash (which anyone can compute from the same input), an HMAC can only be verified by someone who knows the secret key. The construction is HMAC(key, message) = H((key XOR opad) || H((key XOR ipad) || message)). HMACs are used to verify both the integrity (data not altered) and authenticity (came from a party with the key) of a message. They are used in JWTs (to sign the token), API authentication (AWS Signature, Stripe webhooks), and cookie signing. Use HMAC-SHA256 as the standard — avoid HMAC-MD5 and HMAC-SHA1 for new designs.

Encryption is reversible — if your encryption key is compromised (e.g. via a server breach or key management failure), all stored passwords can be decrypted and recovered. Hashing is one-way — even if an attacker obtains the hash database, they cannot reverse the hashes to get original passwords without a brute-force or dictionary attack. This is why password storage should always use hashing. At login time, you hash the user's input and compare it to the stored hash — you never need to recover the original password. Use a slow, salted password hashing algorithm specifically designed for this purpose: Argon2id (modern standard), bcrypt (widely supported), or scrypt. Never use SHA-256 or MD5 directly for passwords — they are too fast and allow billions of guesses per second.

About This Hash Generator

This free hash generator computes cryptographic hashes for any text input using MD5, SHA-1, SHA-256, SHA-384, and SHA-512 algorithms. Enter text and instantly see the hash output for every algorithm side by side.

Hash functions are one-way: they produce a fixed-length fingerprint of any input, and it is computationally infeasible to reverse them. They are used for data integrity verification, checksums, digital signatures, and (for bcrypt/Argon2) password storage.

When to use this tool

Generating SHA-256 checksums to verify file integrity
Comparing hash outputs across different algorithms
Testing hash behaviour for edge cases like empty strings
Learning the difference between MD5, SHA-1, and SHA-256

Standards & References

How Hash Generation Works

A cryptographic hash function maps any input to a fixed-length fingerprint deterministically and irreversibly.

Send to PHP Backend

The input text is sent to the PHP API endpoint via a GET request. PHP processes it server-side using the native hash() function, which wraps the system's cryptographic library.

Apply Algorithm

PHP's hash('sha256', $input) feeds the input bytes through the selected algorithm's compression function (MD5: 128-bit, SHA-1: 160-bit, SHA-256: 256-bit, SHA-512: 512-bit output).

Return Hex Digest

The raw binary output is hex-encoded to produce a human-readable string. The "Hash All" option runs all six algorithms in one request and returns them together for easy comparison.

Hashes are deterministic — the same input always produces the same digest. They are one-way — the digest cannot be reversed to recover the original input.

Common Use Cases

File Integrity Verification

Software downloads publish SHA-256 checksums so users can verify the downloaded file hasn't been tampered with. Hash the file content and compare against the published digest — any difference means corruption or alteration.

Cache Key Generation

Hashing a query, template, or response body produces a short deterministic cache key. SHA-256 is compact (64 hex chars) and collision-resistant, making it ideal for cache tags in Redis, Memcached, and CDN configs.

Content Deduplication

Hash-based deduplication stores only one copy of each unique piece of content and uses the hash as the key. File storage systems (Git, content-addressed stores) use SHA-1/SHA-256 for this purpose.

Data Fingerprinting

Hash API request bodies, config versions, or schema snapshots to detect changes without storing the full content. Compare the current hash against a stored hash to detect drift in data pipelines or deployments.

HMAC & Digital Signatures

HMAC (Hash-based Message Authentication Code) uses a hash function (SHA-256 or SHA-512) combined with a secret key. Understanding the underlying hash algorithm helps when implementing or debugging webhook signature verification.

Algorithm Comparison

Use "Hash All" to compare output lengths and performance characteristics of all six algorithms at once. This helps when selecting the right algorithm for a new system — balancing speed, digest length, and collision resistance.

Related Developer Tools

Bcrypt Generator

Random String Generator

Base64 Encoder/Decoder

Password Generator

View all articles

What Developers Still Get Wrong About Password Storage in 2024

LinkedIn stored 117 million passwords as unsalted SHA-1 — cracked within days. Adobe used 3DES encryption (reversible) instead of hashing. These are the specific, named password storage mistakes that keep producing data breaches. Here's every common error, why it fails, and the correct modern approach with bcrypt and Argon2.

Jun 16, 2026

How File Hash Verification Actually Works: Determinism, the Avalanche Effect, and What "Match" Really Means

Hashing the same file twice, a year apart, on different computers, produces the exact same hash — this single property, determinism, is the foundation of file-integrity verification. Here's how the avalanche effect guarantees "match or no match, with no partial credit," why fixed output size makes hash comparison practical for huge files, the proper download-verification workflow, and why where a published hash comes from matters as much as the comparison itself.

Jun 16, 2026

Merkle Trees and Hash Functions: How Git, Blockchain, and Certificate Transparency Work

Hash functions underpin Git commits, blockchain blocks, and certificate transparency logs through Merkle trees. Here's why MD5 and SHA-1 are "broken," how Merkle trees verify large datasets with O(log n) hashes, and how Bitcoin light clients verify transactions without the full blockchain.

Jun 9, 2026

Hash Generator — MD5, SHA-256, SHA-512 & SHA-3 for Data Integrity

Learn how cryptographic hash functions work, when to use MD5 vs SHA-256 vs SHA-3, the avalanche effect, why hashes can't be used for passwords, and how to use a free hash generator for integrity verification.

Jun 7, 2026

Hash Generator — MD5, SHA-1, SHA-256 & SHA-512 Explained

Learn how hash functions work, the differences between MD5, SHA-1, SHA-256, and SHA-3, which algorithm to use for file verification vs. passwords, and how to generate hashes instantly with a free tool.

Jun 6, 2026

Hash Generator

Frequently Asked Questions

What is a hash function?

MD5 / SHA-1 vs SHA-256 / SHA-512?

Should I use hashing for passwords?

How does MD5 compare to SHA-1 and SHA-256 for security?

Why are hash functions one-way?

What are rainbow tables and how does salting defeat them?

What is a hash collision?

How is hashing used for file integrity verification?

What is HMAC and how does it differ from a plain hash?

Why should passwords be hashed rather than encrypted?