SHA Hash Generator
How it works
Where is MD5?
Deliberately absent, for two stacking reasons. First, the platform does not have it: crypto.subtle.digest supports only the SHA family, so an MD5 tool must ship its own JavaScript implementation - a dependency this site refuses on principle (every line here is auditable platform code). Second, MD5 has been collision-broken since 2004; chosen-prefix collisions cost minutes on a laptop. If a legacy system hands you an MD5 checksum, verify it there; nothing new should be built on it.
Hashes are over bytes, and the bytes are UTF-8
A hash function consumes bytes, not characters. The same text hashed as UTF-8 versus UTF-16 gives entirely different digests, which is the usual reason a JavaScript digest disagrees with sha256sum on the command line or hashlib in Python (both default to UTF-8 files/encodes). This tool encodes input as UTF-8 first, so its digests match what openssl, sha256sum, and every other UTF-8 consumer computes.
SHA-1 is for old checksums only
The SHAttered attack produced two different PDFs with the same SHA-1 in 2017, and attacks only improved. Git moved to SHA-256; certificate authorities banned SHA-1 signatures years earlier. It remains in this tool because legacy systems still hand out SHA-1 checksums to verify - the page marks it legacy and says so in a note whenever you select it.
Examples
| hello (SHA-256) | 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 |
| "" (SHA-256) | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| 👋 (SHA-256) | 1d0452e3d194cc7950909b578c611d5ad4cd15105c6aeefc38ce213240ffc457 |
FAQ
Why does my digest differ from sha256sum / Python / another site?
Almost always an encoding or whitespace difference: the bytes differ, so the digest differs. Check for a trailing newline (echo adds one; use printf), UTF-16 encoding (PowerShell redirects default to it historically), or a BOM. This tool hashes exactly the characters in the box, UTF-8 encoded, no trailing newline.
Why is there no MD5 option?
crypto.subtle has no MD5, so offering it would mean shipping a third-party JavaScript implementation - and MD5 has been collision-broken since 2004 anyway. SHA-256 is the default here; use it wherever you control both sides.
Is SHA-1 safe to use?
Not for anything security-relevant: collisions are practical (SHAttered, 2017; chosen-prefix in 2020). It is still fine for verifying a checksum that an old system already published - that is why it is present, labeled legacy.
Can I hash a file here?
Not yet - this tool hashes text. Hashing large files client-side is possible with the same crypto.subtle API and may arrive as a separate tool; pasting binary data into a text box corrupts it (see the hex tool for why bytes and text differ).
Is my input uploaded to a server?
No. crypto.subtle runs locally. The page ships a strict Content-Security-Policy: connect-src 'none' blocks fetch, XHR, WebSockets and beacons, while default-src 'self' and form-action 'none' block every other way markup could send data off-site. Hashing happens in your browser and cannot leave it.