You need to hash something. A password, a file checksum, an API payload.
You could install a library. Fire up the terminal. Run shasum -a 256 filename. Or you could just open a browser tab.
I built a free Hash Generator that runs entirely in your browser — no install, no server, no signup. Here's what it does and when to use each algorithm.
What Is a Hash, Actually?
A hash function takes any input — a word, a sentence, an entire file — and produces a fixed-length string of characters.
Two key properties:
Same input always produces the same output. Hash "hello" with SHA-256 and you always get
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824.You can't reverse it. Given the hash, there's no way to recover the original input. This is intentional — it's what makes hashes useful for password storage.
The 5 Algorithms: When to Use Each
MD5 — 32 characters
5d41402abc4b2a76b9719d911017c592
MD5 is fast and compact. It's also cryptographically broken — researchers can generate collisions (two different inputs that produce the same hash) in seconds.
Use it for: File checksums, cache keys, deduplication, non-security fingerprinting.
Don't use it for: Passwords, signatures, anything security-related.
SHA-1 — 40 characters
aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
SHA-1 is weak — collision attacks are practical. Google demonstrated a successful SHA-1 collision in 2017 (the SHAttered attack).
Use it for: Legacy systems that require it, Git commit IDs (Git is moving away from it).
Don't use it for: New projects, security applications.
SHA-256 — 64 characters
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
The current standard. Used in TLS, Bitcoin, JWT signatures, most modern APIs, and virtually every security protocol written in the last decade.
Use it for: Almost everything. This is your default.
SHA-384 — 96 characters
59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f
SHA-384 is part of the SHA-2 family, same as SHA-256. Used primarily in TLS certificate chains and some government/compliance contexts.
Use it for: Certificate infrastructure, compliance requirements that specify SHA-384.
SHA-512 — 128 characters
9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043
The strongest in the SHA-2 family. Takes slightly more computation but provides the highest security margin.
Use it for: Sensitive applications, password hashing input (before bcrypt/Argon2), maximum security scenarios.
Real-World Use Cases
Verifying File Downloads
You download a large file. The download page shows a SHA-256 checksum:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Hash the file you downloaded and compare. If they match, the file is intact and untampered. If they don't, something went wrong.
The tool supports file hashing directly — drop in any file, get the hash instantly. No upload needed.
API Request Signing
Many APIs require HMAC signatures — a hash of the request body combined with a secret key. During development, you often need to quickly hash a payload to verify your implementation produces the right output.
Checking for Duplicate Content
Need to find duplicate files in a large dataset? Hash them all. Files with the same hash are identical, regardless of filename.
MD5 is fine for this — collisions are theoretically possible but practically rare for non-adversarial deduplication.
Password Storage (One Step of the Process)
Passwords should never be stored as plain text. They should be hashed.
Important note: SHA-256 alone is not sufficient for password storage. You should use a proper password hashing function like bcrypt, Argon2, or scrypt — these are designed to be slow and include salting to prevent rainbow table attacks.
SHA-256 is often used as a pre-hash step in some implementations, or to understand the concept.
Comparing Data Integrity
You have a configuration file that shouldn't change. Hash it. Run the hash check periodically. If the hash changes, the file changed — intentionally or not.
Uppercase vs Lowercase Output
Hash functions output hexadecimal — digits 0-9 and letters a-f. Both a3b2c1 and A3B2C1 represent the same hash.
The tool defaults to lowercase (more common in web contexts) but has an uppercase toggle. Some systems require uppercase — you'll know if yours does.
One Tool, Five Algorithms
The Hash Generator lets you switch between all five algorithms instantly. Type or paste text, or upload a file, and see the hash update in real time.
Everything runs in your browser using the Web Crypto API for SHA algorithms and a pure-JS MD5 implementation. Your data never leaves your device — no server sees your input.
Quick reference:
| Algorithm | Output | Use Case |
|---|---|---|
| MD5 | 32 chars | Checksums, deduplication |
| SHA-1 | 40 chars | Legacy systems only |
| SHA-256 | 64 chars | General purpose — default |
| SHA-384 | 96 chars | TLS, compliance |
| SHA-512 | 128 chars | Maximum security |
When in doubt: SHA-256.
Part of Ultimate Tools — free, privacy-first browser tools.
Top comments (0)