Which hash algorithm should I use?

For most applications, use SHA-256. For maximum security, use SHA-512. Avoid MD5 and SHA-1 for any security-sensitive use — both are cryptographically broken.

Can I hash passwords with this tool?

No. SHA-256 and other general hash functions are too fast to be safe for password hashing. Use bcrypt, scrypt, or Argon2 with a salt for password storage.

What does the file checksum feature do?

It computes SHA-1, SHA-256, SHA-384, and SHA-512 hashes for any file you drop onto the tool. Compare the result against the checksum published by the file source to verify the file has not been corrupted.

What are the output format options?

Hex is standard lowercase hexadecimal. HEX is the same value in uppercase. Base64 encodes the binary hash in Base64 notation, which is used in some APIs and JWT headers.

When live mode is on, hashes update automatically as you type, with a 200ms debounce. Disable it if you want to control exactly when hashes are computed.

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes instantly

Text Input

Live

0 characters

HMAC Mode

Enable HMAC to generate keyed-hash message authentication codes using a secret key (SHA algorithms only).

Output Format

Verify Hash

Hash Results

Start typing to generate hashes instantly

File Checksum

Drop file or click to compute checksums

Any file type supported

Free Online Hash Generator — MD5, SHA-1, SHA-256, SHA-384, SHA-512

A hash function takes any piece of text and produces a fixed-length string of characters called a hash (also known as a digest or checksum). No matter how long or short the input is, the hash output is always the same length — 32 characters for MD5, 40 for SHA-1, 64 for SHA-256, and so on. More importantly, even a tiny change in the input completely changes the hash output. This property makes hash functions one of the most useful tools in computing and security.

The OmniWebKit Hash Generator lets you calculate hashes for any text string or file directly in your browser. It supports five algorithms: MD5, SHA-1, SHA-256, SHA-384, and SHA-512. All computation happens locally using the Web Crypto API (for SHA algorithms) and a native JavaScript MD5 implementation — no data is sent to any server.

The tool includes live mode (hashes update as you type), HMAC mode for keyed hashing, output format options (hex lowercase, hex uppercase, Base64), a hash verification panel, and file checksum generation for any file type.

Hash Algorithms Explained

MD5 (128-bit)

❌ Insecure for security

MD5 is one of the oldest and most widely recognised hash functions. It produces a 32-character hex output (128 bits). While it is fast and still used for non-security purposes like file integrity checks and checksums, it is completely broken for cryptographic security. Collision attacks — finding two different inputs with the same hash — are computationally trivial for MD5 today. Never use MD5 to hash passwords or in any security-sensitive context.

SHA-1 (160-bit)

⚠️ Legacy, deprecated

SHA-1 produces a 40-character hex string (160 bits). It was once the industry standard for digital signatures and SSL certificates, but SHA-1 was formally deprecated by NIST in 2011. Practical collision attacks on SHA-1 have been demonstrated. Modern browsers and certificate authorities no longer accept SHA-1 certificates. SHA-1 hashes are still generated by this tool for legacy verification purposes, but you should not use SHA-1 for new applications.

SHA-256 (256-bit)

✅ Recommended

SHA-256 is the most widely recommended general-purpose hash algorithm today. It produces a 64-character hex string (256 bits) and is part of the SHA-2 family. It powers Bitcoin mining, TLS certificates, git commit verification, and code signing. SHA-256 has no known practical vulnerabilities — it is considered cryptographically secure and is the right choice for most applications where you need a hash.

SHA-384 (384-bit)

✅ Strong

SHA-384 is a truncated version of SHA-512 that produces a 96-character hex output (384 bits). It provides a higher security margin than SHA-256 and is commonly used in TLS cipher suites and government cryptography standards. It is slightly slower than SHA-256 but more resistant to future length-extension attacks.

SHA-512 (512-bit)

✅ Maximum strength

SHA-512 produces a 128-character hex string (512 bits). It is the strongest SHA-2 variant and is often faster than SHA-256 on 64-bit systems despite producing twice as many bits. Use SHA-512 when you need the maximum available hash strength — for example, in high-security applications, key derivation, or long-term archival integrity.

What Is HMAC and When Should You Use It?

HMAC stands for Hash-based Message Authentication Code. It is a specific way of generating a hash that involves a secret key in addition to the input message. The result proves two things at once: that the data has not been tampered with (integrity), and that the hash was generated by someone who knows the secret key (authenticity).

A regular SHA-256 hash only verifies integrity — anyone can recompute the hash from the data. An HMAC-SHA256, on the other hand, can only be verified (or reproduced) by someone who knows the secret key. This makes HMAC the right tool for API request signing, webhook verification, JSON Web Token (JWT) generation, and any situation where you need both integrity and authentication.

Enable HMAC mode in this tool and enter your secret key to generate HMAC equivalents of SHA-1, SHA-256, SHA-384, and SHA-512. (MD5 is excluded from HMAC mode because of its insecurity.)

Frequently Asked Questions

Is my text or file sent to a server?+

No. All hashing is performed entirely in your browser using the Web Crypto API (for SHA algorithms) and a JavaScript MD5 implementation. Your input never leaves your device.

What is the difference between MD5, SHA-1, and SHA-256?+

They differ in output size, speed, and security level. MD5 (128-bit) and SHA-1 (160-bit) are broken for security purposes — avoid them in new applications. SHA-256 (256-bit) is the current recommended standard. SHA-384 and SHA-512 offer higher security margins at the cost of slightly longer output.

Can I use this to hash passwords?+

No. General hash functions like SHA-256 are not appropriate for hashing passwords because they are too fast — attackers can try billions of guesses per second. Passwords should be hashed using slow, purpose-built algorithms like bcrypt, scrypt, or Argon2 with a salt. This tool is not suitable for password hashing.

What is a hash collision?+

A collision is when two different inputs produce the same hash output. MD5 and SHA-1 are considered broken because practical collision attacks exist. SHA-256, SHA-384, and SHA-512 have no known practical collision attacks.

What is the file checksum feature for?+

File checksums let you verify that a file has not been corrupted or tampered with. Drop a file onto the checksum area and compare the resulting hash against the hash published by the file's original source. If they match, the file is identical to the original.

What are the three output formats?+

Hex (lowercase) is the standard format for hash output. HEX (uppercase) is the same value displayed in uppercase letters. Base64 encodes the binary hash in Base64 notation, which is used in some APIs and JWT signatures.

What is live mode?+

When live mode is enabled, hashes are recalculated automatically as you type — no button press required. There is a 200ms debounce to avoid computing on every single keystroke. Disable live mode if you want to control exactly when hashes are computed.

What is HMAC used for?+

HMAC (Hash-based Message Authentication Code) combines the input with a secret key to produce a keyed hash. It is used for API authentication, webhook signature verification, JWT signing, and any situation where you need to prove both data integrity and origin authenticity.