toololis
#

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-512 hashes

0 bytes
MD5 128-bit
SHA-1 160-bit
SHA-256 256-bit · recommended
SHA-384 384-bit
SHA-512 512-bit

Free online hash generator — MD5, SHA-1, SHA-256, SHA-384, SHA-512

Toololis Hash Generator computes cryptographic hashes entirely in your browser. Paste any text and instantly see all 5 common hashes. SHA family uses the browser\'s native crypto.subtle API for maximum speed and accuracy.

Hash algorithm comparison

  • MD5 (128-bit, 32 hex chars) — Broken for security. Fine for file checksums and non-cryptographic uses.
  • SHA-1 (160-bit, 40 hex chars) — Deprecated. Still seen in legacy systems. Collisions demonstrated in 2017.
  • SHA-256 (256-bit, 64 hex chars) — Current default. Used in HTTPS, Bitcoin, Git (migration).
  • SHA-384 (384-bit, 96 hex chars) — A truncated SHA-512, used where 384 bits of output are specified.
  • SHA-512 (512-bit, 128 hex chars) — Long-term margin. Recommended for new systems expecting 30+ year lifespans.

How to use this tool

  1. 1

    Paste your text

    Type or paste any text — passwords, file contents, API payloads, anything. Hashes update live as you type.

  2. 2

    Read the hashes

    All 5 hashes (MD5, SHA-1, SHA-256, SHA-384, SHA-512) are computed simultaneously and displayed in hex.

  3. 3

    Copy the one you need

    Click the Copy button next to any hash to send it to your clipboard. All hashing happens locally.

Common use cases

  • File integrity — Verify downloads match publisher-stated hash
  • Git commits — Git uses SHA-1 (migrating to SHA-256) to identify every commit
  • Password storageNever store plain SHA-256; use bcrypt, argon2, or scrypt which include salting and cost factor
  • API signing — Webhook bodies often hashed with HMAC-SHA256 for authenticity
  • Blockchain — SHA-256 is the backbone of Bitcoin proof-of-work
  • Cache keys — Hashing content to generate deterministic cache keys

Do NOT use hash for password storage

A plain SHA-256 of a password is insecure. GPUs can compute billions of SHA-256s per second, making dictionary attacks trivial. Use a password hashing function designed for slowness: bcrypt, argon2id, or scrypt. These are not regular hashes — they include salt and a tunable work factor.

Frequently Asked Questions

Which hash algorithm should I use?
SHA-256 for new code — fast, secure, widely supported. SHA-512 for long-term security margin. SHA-1 and MD5 only for checksums or legacy system compatibility — both are broken for cryptographic use.
Is MD5 safe to use?
For passwords or signatures: no. MD5 has known collision attacks (different inputs producing the same hash). For file integrity checksums: still acceptable — accidental corruption is still detected. For anything security-sensitive, use SHA-256+.
How are hashes computed here?
SHA-1, SHA-256, SHA-384, and SHA-512 use the browser's crypto.subtle.digest() API — the same implementation browsers use for TLS. MD5 uses the js-md5 library (pure JS). All computation is in your browser.
Can a hash be reversed?
No — hashes are one-way by design. You cannot recover the input from the hash. However, for common passwords, rainbow tables can lookup known plaintext-to-hash pairs. Always salt passwords before hashing (bcrypt, argon2 do this automatically).
Why do I get different hashes for "hello" and "hello "?
Hashes are sensitive to every single byte, including whitespace, casing, and line endings. A trailing newline produces a completely different hash. This is a feature — it's how hashes detect any change.
What's the difference between SHA-1 and SHA-256?
SHA-1 produces a 160-bit hash (40 hex chars). SHA-256 produces a 256-bit hash (64 hex chars). SHA-256 is vastly more resistant to collision attacks and is the current default for HTTPS certificates, Git commits (gradually), and blockchain.
Is my input logged?
No. Everything runs client-side. Safe for hashing passwords to check against breach databases (like Have I Been Pwned k-anonymity API — which we don't call from this tool).

You might also like

{ }

JSON Formatter

Format, validate & minify JSON in your browser

.*

Regex Tester

Test regular expressions in real-time

Base64 Encoder / Decoder

Encode or decode Base64 instantly

🔒
100% Privacy. This tool runs entirely in your browser. Your data is never uploaded to any server.