All Tools
free4dev

100+ free developer tools. All private. All instant.

No signups. No servers. Everything runs in your browser.

Explore Tools →

Hash Generator

100% private

Free online hash generator — compute MD5, SHA-1, SHA-256, SHA-512, and SRI hashes instantly. All hashing runs in your browser; your input never leaves your device.
free4dev

More tools you'll actually use

JWT Decoder · UUID Generator · Hash Generator · Regex Tester · and many more.

Browse All Tools →

This free online hash generator computes MD5, SHA-1, SHA-256, SHA-384, and SHA-512 cryptographic hashes of any text input. SHA hashes use the browser-native Web Crypto API (SubtleCrypto.digest) for maximum accuracy; MD5 runs via a pure JavaScript implementation. All computation is done locally — paste sensitive input like API keys, tokens, or configuration strings and the data never leaves your machine. Results are displayed in lowercase hex and copied with a single click.

The MD5 hash generator remains widely used for legacy checksums and file integrity verification, though it must not be used for any security purpose. The SHA-256 hash generator is the current standard for code signing, TLS certificates, Subresource Integrity (SRI), and most modern cryptographic applications. For WordPress password hashes, note that WordPress uses phpass (a bcrypt-based scheme) since version 2.5 — not plain MD5 — so this tool's MD5 output will not match a stored WordPress password hash. For SRI hash generation, take the SHA-256 or SHA-384 output from this tool, Base64-encode it, and prefix with sha256- or sha384-.

Developers looking for a bcrypt hash generator or Argon2 hash generator for password storage should know that bcrypt and Argon2 are purpose-built slow hashing algorithms designed to resist GPU brute-force attacks — they are not implemented in this tool, which focuses on fast cryptographic hash functions (MD5, SHA family). Use bcrypt (bcryptjs in Node.js, passlib in Python) or Argon2 for password storage. Use this hash generator for checksums, data integrity, SRI attributes, HMAC debugging, and educational purposes.

How It Works

  1. Type or paste your input text into the field
  2. Select the algorithm: MD5, SHA-1, SHA-256, SHA-384, or SHA-512
  3. The hash is computed instantly using the Web Crypto API (SHA) or a JS implementation (MD5)
  4. Copy the hex digest — your input is never transmitted or stored anywhere

Features

  • MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hash algorithms
  • SHA hashes computed via browser-native Web Crypto API (SubtleCrypto.digest)
  • Instant computation — results appear as you type
  • One-click copy in lowercase hex format
  • SRI hash output: SHA-256 and SHA-384 suitable for HTML integrity attributes after Base64 encoding
  • 100% browser-based — your input never leaves your device
  • No file upload limit — hash any length of text

Examples

SHA-256 hash of "hello"

Input

hello

Output

2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

MD5 hash of "hello world"

Input

hello world

Output

5eb63bbbe01eeed093cb22bb8f5acdc3

SHA-512 hash of "secret"

Input

secret

Output

bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2

Common Use Cases

  • Generating SHA-256 or SHA-384 hashes for Subresource Integrity (SRI) attributes in HTML script and link tags
  • Creating MD5 checksums to verify file integrity or match legacy system expectations
  • Computing expected hash values for API signature debugging and HMAC key material
  • Generating known hash fixtures for unit test assertions
  • Checking whether a string matches a known MD5 or SHA hash during debugging

Developer Tips

  • For SRI attributes: take the SHA-256 output, Base64-encode it, and use integrity="sha256-BASE64" crossorigin="anonymous" on your script or link tag
  • Never use MD5 or SHA-1 for password storage — use bcrypt, Argon2, or scrypt; all three are intentionally slow and salt the input automatically
  • SHA-256 output is always 64 hex characters (256 bits); SHA-512 is 128 characters — use this to sanity-check which algorithm produced a given hash
  • Hash functions are deterministic — any whitespace, newline, or encoding difference produces a completely different output; trim and normalize your input if hashes differ unexpectedly

Frequently Asked Questions

What is a hash generator?
A hash generator is a tool that takes any input text and produces a fixed-length string called a hash or digest using a cryptographic hash function. The same input always produces the same hash, but the process is one-way — you cannot recover the original input from the hash alone. Hash generators are used to verify data integrity, generate checksums for file downloads, compute SRI hashes for web assets, and debug HMAC signatures.
What is an SHA-1 hash generator?
An SHA-1 hash generator computes a 160-bit (40 hex character) digest of any input using the SHA-1 algorithm standardized by NIST in 1995. SHA-1 was once the standard for TLS certificates and code signing but is now deprecated for security use — Google's SHAttered attack (2017) demonstrated a practical collision. SHA-1 is still used for Git commit identifiers and some legacy HMAC implementations. For any new security use, choose SHA-256 or SHA-512 instead.
How do I use an MD5 hash generator?
To use an MD5 hash generator: type or paste the text you want to hash into the input field, select MD5 as the algorithm, and the 32-character hexadecimal digest appears immediately. MD5 produces the same hash for identical input every time — a common use is verifying that a downloaded file is intact by comparing its MD5 against the one published by the source. MD5 is cryptographically broken and must not be used for passwords, digital signatures, or any security-sensitive purpose.
What is a cryptographic hash?
A cryptographic hash function takes any input and produces a fixed-length digest. The same input always produces the same hash, but it is computationally infeasible to reverse — you cannot derive the original input from the hash. Even a one-character change in the input produces a completely different hash (the avalanche effect). Common algorithms include MD5 (128-bit), SHA-1 (160-bit), SHA-256 (256-bit), and SHA-512 (512-bit).
Which hash algorithm should I use?
Use SHA-256 or SHA-512 for any new application. SHA-256 is the modern standard for TLS certificates, code signing, SRI attributes, and most cryptographic protocols. SHA-512 provides additional security margin. SHA-1 is deprecated for security — it has known collision vulnerabilities. MD5 is cryptographically broken and should never be used for security — only for legacy checksums where collisions do not matter.
Can I use this to hash passwords?
Not for production use. Plain SHA-256 or MD5 hashing is unsuitable for storing user passwords because these algorithms are too fast — a modern GPU can test billions of guesses per second against a stolen hash database. For password storage, use bcrypt (bcryptjs in Node.js, passlib.bcrypt in Python), Argon2, or scrypt. These are intentionally slow, include a random salt per password, and are designed to remain computationally expensive as hardware improves. Use this tool only for educational or debugging purposes.
Is my input data safe to paste here?
Yes. All hashing runs in your browser using JavaScript and the Web Crypto API. Nothing is sent to any server, logged, or stored. You can safely paste API keys, tokens, passwords, or confidential strings — they never leave your machine. The computation happens entirely in browser memory and is discarded when you navigate away.
Generators

Password Generator

Free strong password generator — create secure random passwords up to 128 characters with custom length, symbols, and charset. Browser-based, never stored.

Generators

UUID & GUID Generator

Free online UUID & GUID generator — create random UUID v4 instantly. Bulk generate up to 100, toggle uppercase, one-click copy. 100% browser-based.

Encoding

Base64 Encoder Decoder

Free online Base64 encoder decoder — encode text to Base64 and decode Base64 strings instantly. 100% browser-based, no data sent to servers.