Skip to content

Hash Generator, SHA-256 SHA-512

Compute SHA-1, SHA-256, SHA-384, and SHA-512 hashes of any text using the browser Web Crypto API.

In your browseryour files never leave your device.

Learn more
⌘Enter re-hash
Input: 0 bytesActive: SHA-256 (256-bit)
SHA-1 · 160-bit
hash will appear here…
SHA-256 · 256-bit
hash will appear here…
SHA-384 · 384-bit
hash will appear here…
SHA-512 · 512-bit
hash will appear here…

About this tool

A cryptographic hash takes any input and produces a fixed-length string that changes wildly if the input changes by one bit and is impossible to reverse in any practical sense. SHA-2 (the family that includes SHA-256, SHA-384, and SHA-512) is the modern default for everything from file checksums to commit hashes to API request signatures. SHA-1 still exists in the wild — Git uses it for object IDs, plenty of legacy systems use it for checksums — but it has been cryptographically broken for collision resistance since 2017 (the SHAttered attack from CWI Amsterdam and Google), so it is fine for non-security uses and wrong for anything where forging matters. This tool runs SubtleCrypto.digest in your browser and outputs hex strings identical to what Python hashlib, Node crypto.createHash, or any standards-compliant library produces.

How to hash generator, sha-256 sha-512

  1. Type or paste your input

    Any text, any length. Empty input shows blank hashes; one character produces 40/64/96/128 hex characters respectively. The input is treated as a UTF-8 byte string, which matches what hashlib and crypto.createHash do by default in their respective languages.

  2. Read all four hashes

    The page shows SHA-1, SHA-256, SHA-384, and SHA-512 side by side, recomputing as you edit the input. Pick whichever your use case demands. For verification against a published hash, the algorithm is usually specified next to the hash value (e.g. "sha256: abc123...").

  3. Copy the one you need

    Each hash has its own copy button. Click and the hex string lands on your clipboard. The copy includes only the hash, not the algorithm label, so you can paste it directly into a comparison check.

  4. Compare

    Paste the computed hash into your verification target — a checksum file, a signed-URL parameter, an audit log — and confirm it matches. If you are doing this for download verification, the standard is to compare visually or with a single-line diff (diff <(echo "$expected") <(echo "$actual") in bash).

Features

Four algorithms in parallel

SHA-1, SHA-256, SHA-384, SHA-512 all compute on the same input and display together. No need to pick first. Useful when you are not sure which one the spec needs, or when you want to compare lengths (SHA-1 is 40 hex chars, SHA-256 is 64, SHA-384 is 96, SHA-512 is 128). The parallel computation costs almost nothing extra because SubtleCrypto is highly optimized; you get all four for the price of one.

Web Crypto API under the hood

SubtleCrypto.digest is a browser-native primitive — same code path Node's crypto module uses on the server, same underlying implementation as OpenSSL on most platforms. Output is identical hex-for-hex with hashlib.sha256(input.encode()).hexdigest() in Python, crypto.createHash("sha256").update(input).digest("hex") in Node, and equivalent calls in Go, Rust, or Java. No "JavaScript-flavored" hash — these are the real, standards-compliant outputs that interoperate with every backend.

Live computation with debounce

Hashes update as you type with a tiny debounce so the page does not stutter on long inputs. Drop in a few hundred KB of text and the hash appears in milliseconds. Empty input shows blank hashes; one character of input produces a full 40-char SHA-1 and 64/96/128-char SHA-2 hashes that all change completely when you add or remove a single byte. That avalanche property is the whole point of cryptographic hashing.

Local-only execution

crypto.subtle.digest runs in the browser. Your input is not transmitted. This matters because the most common reason to hash a string in a tool is to compare it against a known hash without revealing the original — typing a password or a secret into a server-side hash tool would be exactly the wrong move because the server then sees the secret directly. Open DevTools, watch the Network tab, hash anything, and confirm no outbound requests.

Privacy & security

SubtleCrypto.digest runs in the browser using the same FIPS 180-4 implementation OpenSSL ships on most platforms. Your input string is converted to UTF-8 bytes by TextEncoder, the digest is computed in your tab, and the hex output is rendered into the DOM. Hashing is one of those operations where running it remotely defeats the point: the most common reason to hash a string is to derive a verifier without exposing the original secret, and pasting that secret into a server-side tool would directly contradict the goal.

Frequently asked questions

Why is MD5 missing?
SubtleCrypto does not expose MD5 — the W3C decided not to ship a known-broken algorithm in a modern API. MD5 has been broken for collision resistance since 2004 and the W3C draws the line. You can still find MD5 in checksums for non-security use (some torrent files, some legacy installers, some CMS export formats), and if you really need it, a small JavaScript library (spark-md5 is the standard pick) or a one-liner via openssl/md5sum on the command line is the move. For new use cases, pick SHA-256 instead — it is barely slower and not broken.
SHA-1 is broken, so why include it?
Broken for collision resistance means an attacker who controls both inputs can find a pair that hashes to the same value. That matters for digital signatures and certificate validation, where it would let an attacker forge documents — TLS certificates with SHA-1 signatures were retired around 2016 for this reason. It does not matter for use cases like Git object IDs or non-security checksums, where you only care about accidental corruption and you trust the inputs. Plenty of systems still use SHA-1 for these — Git is the obvious one, despite a long-planned migration to SHA-256. So it stays in the tool for those workflows. Just do not use SHA-1 for new security-relevant hashing.
Which hash should I pick for password storage?
None of these. SHA-256 is too fast for password hashing — an attacker with a GPU farm can try billions of guesses per second against a leaked database of SHA-256 hashes, even when those hashes are salted. Use a slow, salted, memory-hard password hash like bcrypt, scrypt, or Argon2id, which are designed to be expensive to compute (deliberately taking 100ms+ per hash) and resist GPU and ASIC attacks. SHA-256 is the right primitive for HMAC, content addressing, signatures, and request fingerprinting — not for password storage.
Does the output match hashlib.sha256 or crypto.createHash exactly?
Yes. SubtleCrypto.digest produces standard SHA-256 over the input bytes; hashlib.sha256(text.encode()) and crypto.createHash("sha256").update(text).digest("hex") produce the same bytes from the same input. The only gotcha is text encoding — both this tool and a typical .encode() default to UTF-8. If you hash the same string with one tool using UTF-8 and another using UTF-16 or Latin-1, you get different hashes; that is the input being different at the byte level, not the algorithm. Always confirm encoding when comparing hashes across systems.
Can I hash a file with this tool?
Not directly — it takes text input. For files, the CLI is faster anyway: shasum -a 256 file.iso on macOS, sha256sum file.iso on Linux, Get-FileHash file.iso on PowerShell, or certutil -hashfile file.iso SHA256 on Windows cmd. Browser-side file hashing is possible with FileReader and SubtleCrypto in a few lines of code; for one-off file hashing the CLI is one line and faster than uploading the file into a browser.