Hash Generator: MD5, SHA-1, SHA-256, and SHA-512 in One Tool
Generate cryptographic hashes from any text input. MD5, SHA-1, SHA-256, SHA-512 — verify data integrity, compare checksums, and understand hashing.
Hash functions are one of the core building blocks of software security — they power password storage, file integrity verification, digital signatures, and content-addressable storage. The CalcHub Hash Generator lets you hash any string and see the output across multiple algorithms side by side, which is useful for both practical tasks and for understanding how these algorithms compare.
What a Hash Function Does
A hash function takes an input of any length and produces a fixed-length output — the "hash" or "digest". Three properties make this useful:
- Deterministic: The same input always produces the same hash
- One-way: You cannot reverse a hash to get the original input
- Avalanche effect: Changing one character in the input completely changes the hash
"hello" → 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
"Hello" → 185f8db32921bd46d35cc25b8b71bba39aab7b4a79b5def5c5f7f6c3f11ab1cdOne capital letter, completely different hash. That's the avalanche effect in action.
Algorithms Available
| Algorithm | Output length | Status | Use for |
|---|---|---|---|
| MD5 | 128-bit (32 hex chars) | Broken for security | Checksums, non-security use |
| SHA-1 | 160-bit (40 hex chars) | Deprecated for security | Legacy systems, Git commit IDs |
| SHA-256 | 256-bit (64 hex chars) | Current standard | Passwords, file integrity, TLS |
| SHA-512 | 512-bit (128 hex chars) | Current standard | High-security contexts |
How to Use the Tool
- Type or paste your input text into the field
- All hash outputs update in real time as you type
- Click the copy button next to any hash to grab it
Real Use Cases
Verifying file downloads. When you download software from an official source, they usually provide a SHA-256 checksum. You hash the downloaded file and compare — if it matches, the file is intact and unmodified. This is how you know the installer wasn't tampered with in transit. Checking if content has changed. Store a hash of a file or database record. Later, hash it again. If the hashes differ, something changed. This is simpler than diff-ing large files. Understanding password storage (not actually storing passwords). Modern auth systems don't store passwords — they store hashes. When a user logs in, you hash their input and compare to the stored hash. The tool helps visualize this:password123 always produces the same SHA-256 regardless of when you hash it, which is why rainbow table attacks work against unsalted hashes.
# What a database record looks like (simplified)
user_id: 42
email: user@example.com
password_hash: ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94fMD5 vs SHA — Which to Use
Use SHA-256 for anything security-related. MD5 and SHA-1 are cryptographically broken — researchers have demonstrated collision attacks (two different inputs producing the same hash). They shouldn't be used for passwords, digital signatures, or any context where a malicious actor might exploit collisions. MD5 and SHA-1 are still fine for non-security checksums. Verifying that a file didn't get corrupted in transit, generating cache keys from content, deduplicating data in a database — these use cases don't require collision resistance, so MD5 is fast and convenient.For passwords specifically, note that SHA-256 alone is also not ideal — password hashing should use algorithms specifically designed for the task (bcrypt, scrypt, Argon2), which are deliberately slow to resist brute-force attacks.
Tips
Hashing vs. encryption. Hashing is one-way and produces fixed-length output. Encryption is reversible and preserves data length (roughly). Don't use one where you need the other. Salt your password hashes. Plain SHA-256 of a common password is precomputed in rainbow tables. A random salt added to the password before hashing means each hash is unique even for the same password. This is why you shouldn't implement your own password hashing — use a library. Consistent encoding matters."hello" hashed as UTF-8 vs. UTF-16 produces different results. When comparing hashes across systems, make sure you're using the same encoding on both ends.
If hashing is one-way, how do password crackers reverse hashes?
They don't reverse them mathematically. They use brute force or dictionary attacks — they hash millions of common passwords and compare the results to the stolen hash. If your password is password123, its SHA-256 hash is in every cracker's precomputed table. This is why password strength matters even when passwords are hashed.
What's a hash collision?
A collision is when two different inputs produce the same hash output. By the pigeonhole principle, collisions must theoretically exist for any hash function (infinite inputs → finite output space). For MD5 and SHA-1, researchers have found practical methods to deliberately construct collisions. For SHA-256, no practical collision attack exists.
Can I use SHA-256 directly for API authentication?
HMAC-SHA256 (Hash-based Message Authentication Code) is the right choice for API authentication — it combines a secret key with the message before hashing, so only parties with the key can verify the signature. Plain SHA-256 without a key can be replayed by anyone who intercepts the hash.
Related Tools on CalcHub
- Password Generator — generate random strings to hash and test with
- Base64 Encoder — hash outputs are often Base64-encoded for transport
- JWT Decoder — JWTs use HMAC-SHA256 or RSA for their signature
- UUID Generator — another way to generate unique identifiers