Type or paste your text into the Input box, then click any algorithm button — MD5, SHA-1, SHA-256, SHA-384, or SHA-512 — to instantly compute its hash. Enable HMAC and enter a secret key to generate a keyed message authentication code. Everything runs in your browser; nothing is sent to any server.
What is a hash function?
A cryptographic hash function takes an input of any length and produces a fixed-length output (the digest or hash). The same input always produces the same output (deterministic), and even a single character change in the input produces a completely different hash (avalanche effect). Hash functions are one-way — you cannot reverse a hash to recover the original input.
Common uses include data integrity checks (verify a downloaded file hasn't been corrupted), password storage (combined with a salt and a slow KDF like bcrypt or Argon2), digital signatures, and content-addressable storage (e.g. Git commit hashes).
Algorithm comparison
MD5 — 128-bit (32 hex chars)
Fast, widely supported, but cryptographically broken (collision attacks exist). Fine for non-security checksums and legacy systems, not for passwords or digital signatures.
SHA-1 — 160-bit (40 hex chars)
Stronger than MD5 but also cryptographically weak — collision attacks have been demonstrated (SHAttered, 2017). Deprecated for certificates and signatures; still used in Git and some checksums.
SHA-256 — 256-bit (64 hex chars)
Part of the SHA-2 family. The industry standard for most security applications — TLS certificates, code signing, Bitcoin, HMAC-SHA256. Recommended default for new systems.
SHA-512 — 512-bit (128 hex chars)
Larger digest and often faster than SHA-256 on 64-bit systems. Used where extra collision resistance is required, though SHA-256 is sufficient for most use cases.
How to use this tool
- 1Type or paste your text into the Input Text area.
- 2Click the algorithm button for the hash you need: MD5, SHA-1, SHA-256, SHA-384, or SHA-512.
- 3For HMAC, check Use HMAC, enter your secret key, then click an algorithm button.
- 4The hash appears in the Hash Output box. Click Copy to copy it.
Code examples
JavaScript (Web Crypto API)
async function sha256(text) {
const encoded = new TextEncoder().encode(text);
const hashBuffer = await crypto.subtle.digest('SHA-256', encoded);
const hashArray = Array.from(new Uint8Array(hashBuffer));
return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}
const hash = await sha256('hello world');
Python (hashlib)
import hashlib, hmac
text = 'hello world'
# SHA-256
h = hashlib.sha256(text.encode()).hexdigest()
# HMAC-SHA256
mac = hmac.new(b'secret', text.encode(), hashlib.sha256).hexdigest()
Frequently asked questions
Is my input text sent to a server?
No. All hashing uses the CryptoJS library running in your browser. Your text never leaves your device.
Can I reverse a hash to get the original text?
No. Cryptographic hash functions are one-way. Short or common inputs can sometimes be found in precomputed rainbow tables, which is why passwords must always be salted before hashing.
What is HMAC and how is it different from a plain hash?
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key. Unlike a plain hash, an HMAC cannot be forged without knowing the secret key, making it suitable for verifying message authenticity — e.g. signing API requests or validating webhook payloads.
Should I use this tool to hash passwords?
No. Password hashing requires a slow, salted key derivation function like bcrypt, Argon2, or PBKDF2. Fast hash functions like SHA-256 are unsuitable for passwords because they can be brute-forced at billions of attempts per second on modern hardware.
What hash algorithm does Git use?
Git uses SHA-1 for commit, tree, blob, and tag objects (20-byte / 40 hex-char IDs). The project is actively working on migrating to SHA-256 (git --object-format=sha256) for new repositories.
Related tools