RevealTheme logo

Hash Generator (MD5 / SHA)

Generate cryptographic hashes — MD5, SHA-1, SHA-256, SHA-384, SHA-512. Runs in your browser via Web Crypto API.

What are cryptographic hashes and when do you need them?

A cryptographic hash function is a deterministic algorithm that turns any input (a few bytes, a multi-gigabyte file, the entire English Wikipedia) into a fixed-size output called a 'digest' or 'hash'. SHA-256 produces 256 bits (64 hex characters); SHA-512 produces 512 bits; MD5 produces 128 bits. Four properties define a 'cryptographic' hash, as opposed to a non-cryptographic one (like CRC32): determinism (same input → same hash, always), avalanche effect (changing one bit changes roughly half the output bits), preimage resistance (you can't reverse the hash to recover the input), and collision resistance (you can't find two inputs that produce the same hash). When hash functions are broken, it's usually the last two properties that fall — collision attacks against MD5 (2004) and SHA-1 (2017) made them unsuitable for security purposes, though they're still fine for non-adversarial integrity checks like file checksums. Use SHA-256 or SHA-512 for any new security work. This tool uses the browser's Web Crypto API (crypto.subtle.digest), which is hardware-accelerated on modern devices and produces output byte-identical to OpenSSL, Python's hashlib, and Node's crypto module.

Common use cases

  • Verify a downloaded file matches the publisher's listed SHA-256 (Linux ISOs, security tool releases).

  • Generate a content-addressable identifier for cache keys (hash of content → stable URL).

  • Create a deduplication key for storing files (hash matches = identical file).

  • Build webhook signature verification — HMAC-SHA256 of payload with shared secret.

  • Generate Git-style content hashes (SHA-1 for tree/blob identifiers).

  • Validate the integrity of a database row by hashing key columns and storing the hash.

Frequently asked questions

Why is MD5 deprecated for security?
Cryptographers have found ways to construct two different inputs that hash to the same MD5. Once collisions are findable, MD5 stops being a reliable integrity signal for adversarial scenarios (someone could swap a file and produce one with the same hash). For non-adversarial checksums (did the file download cleanly?), MD5 still works fine — it's just unsafe for digital signatures or anything attacker-influenced.
Can hashes be reversed?
Not directly — cryptographic hashes are one-way functions. But: (1) for short or low-entropy inputs (passwords, common phrases), attackers can precompute hashes of every likely input (rainbow tables) and look up your hash. That's why password hashing uses unique random salts. (2) For arbitrary-length high-entropy inputs (random keys, file contents), reversal is computationally infeasible.
What's the difference between SHA-256 and HMAC-SHA256?
SHA-256 is a plain hash — anyone with the input can compute the same hash. HMAC-SHA256 is a keyed hash — you need a shared secret to compute it. Webhooks use HMAC because the verifier wants to know 'did someone who knows the secret create this?', not just 'does the payload match a known value?'. Use our HMAC Generator for the keyed variant.
When should I use SHA-512 over SHA-256?
SHA-512 has more output bits (512 vs 256), making collision attacks theoretically harder. But SHA-256 is already secure beyond any reasonable timeframe (2^128 effective collision strength). SHA-512 is sometimes faster on 64-bit hardware due to wider internal operations. Use SHA-256 by default; use SHA-512 if you have a specific reason.
Why does my SHA hash differ from another tool's?
Three likely causes: (1) Different input encoding — the bytes hashed must match. UTF-8 vs UTF-16 vs Latin-1 produce different hashes for the same visible text. This tool encodes input as UTF-8. (2) Trailing newline — some tools add a newline; some don't. (3) BOM (byte-order mark) — a hidden three-byte prefix some editors add to UTF-8 files.
Is this safe to use with sensitive data?
Yes — hashing happens locally in your browser via Web Crypto. The input never leaves your device. Hashes themselves are not 'sensitive' in the sense that they don't reveal the input (assuming sufficient input entropy), but if you're hashing low-entropy data (like passwords without salt), be aware that anyone seeing the hash could potentially reverse it via rainbow tables.

Related tools

JWT Decoder

Decode JSON Web Tokens (JWT) instantly — inspect the header, payload, and signature claims. Runs entirely in your browser; tokens never leave your device. Safe for production secrets.

JSON Formatter & Validator

Format, validate, and minify JSON instantly. Catches syntax errors with line numbers, pretty-prints with adjustable indent, supports large payloads. Runs in your browser — no upload.

XML Formatter & Beautifier

Format and beautify XML documents — proper indentation, line breaks, namespace handling. Useful for SOAP responses, sitemaps, RSS feeds, and Android resource files.

Base64 Encoder & Decoder

Encode and decode Base64 strings.

URL Encoder & Decoder

Encode/decode URL-safe strings.

HTML Entity Encoder & Decoder

Convert special characters to/from HTML entities.

Subscribe for updates

We do not sell your email. We do not spam.

© 2026 RevealTheme. All rights reserved.