glunty

Hash Generator (MD5, SHA-256, SHA-512)

Compute MD5, SHA-1, SHA-256, SHA-384, SHA-512 of any text. Local crypto only.

MD5 and SHA-1 are cryptographically broken (collision attacks are practical). Use them for non-security purposes only (checksums, cache keys, ETags). For passwords, signatures, or anything trust-bearing, use SHA-256 or stronger, and prefer purpose-built primitives like HMAC, Argon2, or bcrypt.

What this tool does

Computes cryptographic hashes of UTF-8 text using five algorithms in parallel: MD5, SHA-1, SHA-256, SHA-384, and SHA-512. Hashes update as you type. Output is in lowercase hexadecimal. SHA family hashes are computed with the browser's built-in WebCrypto API (constant-time, hardware-accelerated where available). MD5 uses an embedded JavaScript implementation since browsers no longer provide MD5 natively. Everything runs locally; your input is not transmitted.

How to use it

Type or paste your input. All five hashes update live. Click Copy next to any hash to put it on your clipboard. Example: hashing the text hello produces SHA-256 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 and MD5 5d41402abc4b2a76b9719d911017c592.

Common use cases

  • Producing a deterministic cache key from a URL or a long input string.
  • Verifying a downloaded file matches the publisher's checksum.
  • Computing an ETag for a small piece of content.
  • Generating a content-addressable identifier (where same input always produces same id).
  • Quick lookup against a known-bad-hash list during incident response.

Common pitfalls

  • Encoding matters. The same string hashed as UTF-8 vs UTF-16 vs Latin-1 produces different output. This tool uses UTF-8. If you compare against a hash computed elsewhere and they disagree, encoding mismatch is the most common cause.
  • Hex vs base64. SHA-256 of "hello" in hex is 64 characters; in base64 it is 44 characters. They represent the same bytes. Different tools default to different output formats.
  • MD5 and SHA-1 are not for security. Both have practical collision attacks. Do not use them for password storage, digital signatures, or anything where an adversary could craft a colliding input. Use SHA-256 or stronger; for passwords specifically, use a password-hashing primitive (Argon2, scrypt, bcrypt) rather than a raw hash.

Frequently asked questions

Why are MD5 and SHA-1 considered broken?
Both have practical collision attacks: researchers have produced different inputs that hash to the same output. For non-security uses (file integrity checks against accidental corruption, cache keys, ETags) they remain useful. For security uses (password storage, digital signatures, anti-tampering) they have been deprecated for over a decade. Use SHA-256 or stronger; for passwords specifically use Argon2, scrypt, or bcrypt.
What is the difference between SHA-256 and SHA-512?
Both produce a fixed-size output, both resist all known attacks, both are widely supported. SHA-256 produces 256 bits (64 hex characters); SHA-512 produces 512 bits (128 hex). SHA-512 is slightly faster on 64-bit systems because it works on 64-bit chunks; SHA-256 is faster on 32-bit. For most uses either is fine; SHA-256 is the more common default.
Can I reverse a hash to recover the original input?
Not in general. Cryptographic hashes are one-way: there is no efficient algorithm to compute the input from the output. However, for short or low-entropy inputs (a 4-digit PIN, a common password), an attacker can compute hashes of all possible inputs and match against your hash. This is why password storage uses key-derivation functions with salt, not raw hashes.
Why does my hash differ from one computed elsewhere?
The most common cause is encoding mismatch. This tool hashes UTF-8 bytes. Another tool may use UTF-16, Latin-1, or some other encoding, producing different bytes from the same string. Other causes: trailing whitespace, line-ending differences (CRLF vs LF), or a BOM at the start of the input.
Is my input sent anywhere when I compute a hash here?
No. The tool runs entirely in your browser. Your input is never transmitted. SHA family hashes use the browser native WebCrypto API. The MD5 implementation is embedded in the page since browsers do not expose MD5.
When should I use HMAC instead of a plain hash?
Use HMAC when you need to authenticate that a message came from someone who shares a secret key with you, not just that the bytes have not changed. HMAC combines a hash function with a key in a way that prevents length-extension attacks. WebCrypto supports HMAC; raw hashes alone do not authenticate.

Embed this tool

Free for any use; attribution appreciated. Paste this on your site:

The embed runs the same tool that lives at this URL. No tracking; no ads inside the embed. Resize height as needed for your layout.

Cite this tool

For academic, journalistic, or technical references. Pick a format:

Citations use 2026 as the publication year. Access date is left as a fillable placeholder where the citation style expects one.

Embedded tool from glunty.com