How to Generate MD5, SHA-256, and Other Hashes
Hashing converts any input — a password, a file, a message — into a fixed-length string of characters. The same input always produces the same hash, but even a tiny change in the input produces a completely different hash. This makes hashing essential for integrity verification, password storage, and digital signatures.
How hashing works
A hash function takes input of any size and produces output of a fixed size:
| Input | SHA-256 hash (first 16 chars) |
|---|---|
| hello | 2cf24dba5fb0a30e... |
| Hello | 185f8db32271fe25... |
| hello! | ce06092fb948d9ff... |
Notice that changing a single character (lowercase h to uppercase H) or adding a character completely changes the hash. This is called the avalanche effect.
Common hash algorithms
| Algorithm | Output length | Status | Use for |
|---|---|---|---|
| MD5 | 32 characters | Broken (insecure) | Legacy checksums, non-security uses |
| SHA-1 | 40 characters | Broken (insecure) | Legacy systems only |
| SHA-256 | 64 characters | Secure | File integrity, digital signatures |
| SHA-512 | 128 characters | Secure | High-security applications |
SHA-256 is the current standard for most purposes. MD5 and SHA-1 should only be used when interacting with legacy systems that require them.
How to generate a hash
- Choose your algorithm — select MD5, SHA-1, SHA-256, SHA-384, or SHA-512. Use SHA-256 unless you have a specific reason for another.
- Enter text or upload a file — type or paste text, or select a file to hash.
- Copy the hash — the result is a hex string you can use for verification, storage, or comparison.
Practical uses
File integrity verification — download a file and compare its hash against the publisher's official hash. If they match, the file is authentic and uncorrupted.
Password storage — applications store hashes of passwords, not the passwords themselves. When you log in, your input is hashed and compared to the stored hash.
Data deduplication — hash large files to quickly determine if two files are identical without comparing them byte by byte.
HMAC for API security — use HMAC (hash with a secret key) to sign API requests, ensuring the request has not been tampered with in transit.
Tips
- Use SHA-256 by default — it is secure, widely supported, and the standard recommendation for new projects.
- Never use MD5 for security — MD5 collisions (different inputs producing the same hash) can be generated in seconds. It is fine for non-security checksums but not for anything where integrity matters.
- Salt your password hashes — adding a random salt to each password before hashing prevents rainbow table attacks. Use bcrypt or Argon2 for password hashing in production.
- File hashing works locally — the file is processed in your browser, so even large files never leave your device.
Frequently Asked Questions
What is the difference between MD5, SHA-1, and SHA-256?
MD5 produces a 128-bit hash (32 hex characters), SHA-1 produces 160 bits (40 characters), and SHA-256 produces 256 bits (64 characters). MD5 and SHA-1 are considered cryptographically broken for security purposes. SHA-256 is currently secure and recommended for integrity verification and security applications.
Can you reverse a hash to get the original data?
No. Hash functions are one-way by design. You cannot mathematically reverse a hash back to its input. However, common passwords can be found in precomputed lookup tables (rainbow tables), which is why passwords should be salted before hashing.
What is HMAC?
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key. It verifies both data integrity and authenticity — proving the data has not been tampered with and was created by someone who knows the secret key.
Is my data sent to a server when generating hashes?
No. All hashing runs in your browser using the Web Crypto API. Your text and files never leave your device.