Hash Generator

DEVELOPER HASH MD5 SECURITY SHA256
Share:

Generate MD5, SHA-1, SHA-256 and SHA-512 hashes instantly — for passwords, files and data integrity. Free, client-side, nothing sent to any server.

RT-DEV-008 · Developer Tools

Hash Generator Tool

Encoding:
MD5
SHA-1
SHA-256
SHA-512
All hashing is done locally in your browser using the Web Crypto API. Nothing is ever sent to any server.
Advertisement
After results · AD-W1 Responsive · Post-tool — peak engagement

How to Use the Hash Generator

Type your text or switch to File mode to drop a file

In Text mode, type or paste any text — hashes generate automatically as you type. In File mode, drag and drop any file onto the drop zone, or click to select. Files of any size are supported and all processing is local to your browser.

All four hash formats generate automatically

MD5, SHA-1, SHA-256, and SHA-512 are computed simultaneously. SHA-1, SHA-256, and SHA-512 use the browser's native Web Crypto API. MD5 uses a built-in implementation since Web Crypto intentionally omits it (MD5 is cryptographically broken). You can also select UTF-8 or ASCII encoding for text input.

Copy any hash format with one click

Each hash row has its own Copy button. You can also expand the HMAC-SHA-256 section to generate a keyed-hash message authentication code — useful for verifying API webhook payloads. Enter your secret key and the HMAC result appears immediately.

Use the Compare section to verify a known hash against your input

Paste a known hash into the Compare / Verify section. The tool auto-detects the algorithm by hash length, or you can select it manually. A green check mark confirms the hashes match; a red cross indicates they do not.

Advertisement
After how-to · AD-W2 Responsive

Cryptographic Hash Functions — The Building Blocks of Digital Security

What Is a Hash Function and Why Developers Use Them Daily

A cryptographic hash function takes an input of any length and produces a fixed-length output string — the hash or digest. Three properties make hash functions foundational to modern software: they are deterministic (the same input always produces the same output), one-way (it is computationally infeasible to recover the input from the output), and avalanche-sensitive (a single bit change in the input produces a completely different output). That last property — the avalanche effect — is what makes them suitable for integrity checking: even a tiny tamper with a file produces a radically different hash.

In daily development, hash functions appear everywhere. Git identifies every commit, tree, blob, and tag by a hash of its contents — two commits with different content will always have different identifiers. Package managers like npm, pip, and Homebrew verify downloaded packages against published SHA-256 checksums before installation. Content delivery networks use hashes as cache keys. Blockchain mining is fundamentally a hash-finding race. Digital signatures hash the message before encrypting to keep signature sizes manageable. HMAC (Hash-based Message Authentication Code) uses a hash function with a shared secret to let two parties verify that an API request wasn't tampered with in transit.

MD5 vs SHA-256: Why One Is Broken and One Is Still Safe

MD5 was designed in 1991 by Ronald Rivest of MIT. By 1996, researchers had found the first theoretical weakness. By 2004, practical collision attacks were demonstrated — meaning two different inputs could be engineered to produce the same MD5 hash. In 2008, security researchers used MD5 collisions to forge a rogue certificate authority certificate, compromising the entire web PKI. MD5 must never be used for any security purpose today — not for passwords, not for digital signatures, not for certificate fingerprints. Its only legitimate remaining use is as a fast, non-security checksum for verifying file transfer integrity in trusted contexts, where collision attacks are not a concern.

SHA-1 followed a similar trajectory. Theoretical weaknesses were found in 2005. In 2017, Google's research team and CWI Amsterdam produced the SHAttered attack — the first real-world SHA-1 collision, producing two different PDF files with the same SHA-1 hash. Major browsers began rejecting SHA-1 TLS certificates in 2017. NIST formally deprecated SHA-1 for digital signatures in 2011. Today, SHA-256 and SHA-512 — both part of the SHA-2 family — remain secure. Singapore's Cyber Security Agency (CSA) recommends SHA-256 or above for all government systems and digital signatures. SHA-3 (the Keccak algorithm) was selected by NIST in 2012 as an alternative family with a completely different internal structure, offering a hedge against potential future weaknesses in SHA-2.

"In 2017, researchers produced the first real-world SHA-1 collision — two different PDF files with the same SHA-1 hash. SHA-1 is now officially deprecated for security use."

One critical distinction: SHA-256 is a general-purpose hash function, designed to be fast. For password storage, fast is actually dangerous — it makes brute-force attacks easy. Password hashing requires intentionally slow algorithms: bcrypt, scrypt, or Argon2. These algorithms have configurable work factors that can be tuned to keep password cracking prohibitively expensive even on dedicated GPU hardware. Never store passwords as SHA-256 hashes in a database; use bcrypt with a cost factor of at least 12 (as recommended by the RECATOOLS platform itself).

File Integrity Checking: How ASEAN Software Teams Use Hashes

File integrity verification through hashes is a cornerstone of secure software supply chains. When a Linux distribution publishes a new release, it also publishes a SHA256SUMS file containing the expected hash of each ISO image. After downloading, you compute the hash locally and compare — any corruption or tampering during download produces a mismatch. Singapore's GovTech open-source releases on GitHub include SHA-256 checksums for all binary releases, following best practice.

For ASEAN software teams, hash verification is especially important when evaluating third-party libraries. Malaysia and Indonesia have seen a rise in supply chain attacks targeting popular npm and pip packages — inserting malicious versions into public registries. Verifying the SHA-256 hash of a library against the published checksum on the developer's official site provides a defence layer that package manager lock files alone cannot. For organisations in Singapore subject to MAS TRM (Technology Risk Management) guidelines, software integrity verification through hashing is explicitly required for production deployments.

HMAC-SHA-256 is widely used for API webhook signature verification. GitHub, Stripe, and most ASEAN fintech API providers use HMAC-SHA-256 to sign webhook payloads — your server recomputes the HMAC of the incoming request body using the shared secret and compares it to the signature in the request header. A mismatch means the webhook was not sent by the legitimate provider or was tampered with in transit. The HMAC section in this tool lets you compute and verify these signatures without a programming environment.

10 Facts About Hashing

01

MD5 was designed in 1991 by Ronald Rivest — by 1996 the first theoretical weakness was found, and by 2004 practical collision attacks were demonstrated.

02

Git uses SHA-1 hashes for commit IDs — a 40-character hex string that uniquely identifies every commit, tree, blob and tag in the repository.

03

The SHA-256 hash of an empty string is e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 — a well-known test value.

04

Bitcoin uses double SHA-256 (SHA-256 applied twice) for its Proof of Work algorithm — chosen because MD5 and SHA-1 were already compromised.

05

bcrypt was designed specifically for password hashing — it is intentionally slow (adjustable work factor) to resist brute-force attacks, unlike SHA-256.

06

Singapore's government API guidelines from GovTech require HMAC-SHA256 for API request signing — ensuring requests cannot be tampered with in transit.

07

The SHA-3 standard (Keccak algorithm) was selected by NIST in 2012 after a 5-year public competition — using a completely different "sponge construction" from SHA-2.

08

NIST formally deprecated SHA-1 for digital signatures in 2011 — yet many legacy systems and certificates still use it, making detection tools valuable.

09

A rainbow table attack pre-computes hashes for millions of passwords — MD5 tables exist online covering all common passwords in seconds. SHA-256 + salt defeats them.

10

Content Delivery Networks use SHA-256 hashes as cache keys — ensuring the same file at different URLs gets the correct cached version.

Frequently Asked Questions

  • MD5 (Message Digest Algorithm 5) is a hash function designed in 1991 that produces a 128-bit (32 hexadecimal character) digest from any input. It was originally used for digital signatures and password storage. MD5 hashes update automatically in this tool as you type, making it easy to compute checksums for data verification purposes. Note that MD5 is no longer considered cryptographically secure for security applications.
  • No — not for any security purpose. MD5 collision attacks have been practical since 2004, meaning two different inputs can be engineered to produce the same MD5 hash. This breaks any system that relies on MD5 for authenticity. MD5 is still widely used as a fast, non-security checksum for detecting accidental file corruption (where malicious collision engineering is not a concern). Never use MD5 for passwords, digital signatures, certificates, or API authentication. Use SHA-256 or above for any security-sensitive hashing.
  • SHA-256 is the current standard for general-purpose cryptographic hashing. It is used for: verifying file integrity (software downloads, package managers), digital signatures (code signing, TLS certificates), blockchain (Bitcoin's proof-of-work), HMAC-SHA-256 for API authentication, Git's next-generation object hashing (SHA-256 is being adopted as Git's successor to SHA-1), and as the basis for most modern security protocols. Singapore's CSA recommends SHA-256 or above for all government systems.
  • Both are part of the SHA-2 family and are currently secure. SHA-256 produces a 256-bit (64 hex character) digest; SHA-512 produces a 512-bit (128 hex character) digest. SHA-512 has a larger security margin against future brute-force attacks, and is actually faster than SHA-256 on 64-bit processors because its internal word size is 64-bit (vs SHA-256's 32-bit). For most applications, SHA-256 is sufficient. SHA-512 is preferred for very long-term archival signatures or high-security environments where the extra margin is worth the storage overhead.
  • Not through mathematical reversal — a cryptographic hash function is designed to be a one-way function. However, short or common inputs can be "reversed" through lookup tables (rainbow tables) that pre-compute hashes for millions of known inputs. This is why weak passwords stored as unsalted hashes (especially MD5) can be cracked instantly from online databases. For SHA-256, rainbow tables for common passwords still exist. Only bcrypt, scrypt, or Argon2 with a unique salt per password reliably defeats these attacks at scale.
  • HMAC (Hash-based Message Authentication Code) combines a hash function with a shared secret key to produce a code that verifies both the integrity and authenticity of a message. Unlike a plain hash, an HMAC cannot be forged without knowledge of the secret key. You need HMAC when you want to verify that a message hasn't been tampered with and was sent by a party who knows the shared secret. Common uses: API webhook signature verification (GitHub, Stripe, Shopify all use HMAC-SHA-256), JWT signing, API request signing per GovTech Singapore's guidelines, and secure session tokens.
  • Download the file and note the SHA-256 hash published on the official download page. Switch to File mode in this tool, drop the downloaded file onto the drop zone, then copy the SHA-256 result. Paste the published hash into the Compare / Verify section and select SHA-256. A green check mark confirms the file is intact and matches the official release. A mismatch means the file was corrupted during download or may have been tampered with — delete it and download again from a trusted source.
  • SHA-256 is designed to be extremely fast — it can compute billions of hashes per second on modern GPU hardware. This is great for file integrity checking but terrible for passwords. An attacker who obtains a SHA-256 password hash can try billions of password guesses per second until they find a match. Password hashing requires intentionally slow algorithms: bcrypt (adjustable cost factor), scrypt, or Argon2. These algorithms are calibrated to take hundreds of milliseconds to compute a single hash — fast enough for legitimate logins, slow enough to make bulk cracking impractical. RECATOOLS uses bcrypt with cost=12 for all user passwords.
  • No. All hashing is performed entirely in your browser using the Web Crypto API (window.crypto.subtle) and a self-contained MD5 implementation. Your text and files never leave your device. You can verify this by opening your browser's developer tools Network tab while using the tool — you will see zero data requests related to your input. This makes the tool safe to use with confidential documents, API keys, or sensitive data you need to hash locally.
  • A hash collision occurs when two different inputs produce the same hash output. Because hash functions compress arbitrary-length input to a fixed-length output, collisions must theoretically exist (infinitely many inputs, finite outputs). A secure hash function makes it computationally infeasible to find a collision — meaning you cannot deliberately engineer two different files with the same hash in any reasonable timeframe. MD5 and SHA-1 have both been demonstrated to have practical collision attacks. SHA-256 and SHA-512 have no known practical collision attacks and are considered collision-resistant for current hardware.

Related News

You may be interested in these recent stories from our newsroom.

View all news →
Advertisement
Pre-footer · AD-W3 728 × 90

75 more free tools

Calculators, converters, security tools — no signup.

Browse all tools → Latest news