How to Verify File Integrity with Hashes
When you download software, firmware, or important documents, how do you know the file is exactly what the publisher intended? File hashing gives you a cryptographic fingerprint — a unique string that changes if even a single byte of the file is different.
How file hashing works
A hash function reads every byte of a file and produces a fixed-length string. The same file always produces the same hash. Change one byte, and the hash changes completely.
Example:
- Original file hash:
e3b0c44298fc1c14... - Same file, one byte changed:
d7a8fbb307d7809c...
This makes it easy to verify: generate the hash, compare it to the published hash, and you know instantly whether the file is authentic.
How to verify a file
- Find the official hash — the software publisher typically lists file hashes on their download page (often labeled "SHA-256 checksum" or "MD5 sum").
- Upload your downloaded file — select the file in the hash calculator. The hash is computed locally in your browser.
- Compare the hashes — if your calculated hash matches the official hash exactly, the file is authentic and uncorrupted.
When to verify file hashes
- Software downloads — verify that installers and updates have not been tampered with or corrupted during download
- Firmware updates — a corrupted firmware file can brick a device. Always verify before flashing
- ISO images — operating system images should be verified before burning to USB or installing
- Legal and financial documents — verify that important documents have not been altered after signing or sharing
- Backup verification — confirm that backup files are identical to the originals
Supported algorithms
| Algorithm | Hash length | Recommendation |
|---|---|---|
| MD5 | 32 characters | Legacy only — not secure |
| SHA-1 | 40 characters | Legacy only — not secure |
| SHA-256 | 64 characters | Recommended standard |
| SHA-384 | 96 characters | High security |
| SHA-512 | 128 characters | Maximum security |
Tips
- Use the same algorithm — if the publisher provides a SHA-256 hash, generate a SHA-256 hash from your file. Different algorithms produce completely different hashes for the same file.
- Copy-paste to compare — do not try to compare long hash strings visually. Copy both hashes into a text comparison tool or search for one within the other.
- Large files work fine — since hashing runs in your browser, there is no upload or size limit. The only constraint is your device's processing speed.
- Hash before installing — make it a habit to verify critical downloads before running them. It takes seconds and can prevent installing compromised software.
Frequently Asked Questions
How do I compare a file hash to the official one?
After generating the hash, compare it character by character with the hash published by the file's source (usually on the download page). If every character matches, the file is authentic and uncorrupted. Even one character difference means the file has been modified.
Which hash algorithm should I use?
SHA-256 is the standard for file verification. Use whichever algorithm the publisher provides. If you have a choice, SHA-256 offers a good balance of security and performance.
Can a corrupted file have the correct hash?
It is theoretically possible (a collision) but statistically negligible with SHA-256. The odds are so astronomically low that for all practical purposes, matching hashes guarantee identical files.
Is my file uploaded to a server?
No. The hash is calculated entirely in your browser. Your file never leaves your device, making it safe for any file including sensitive documents.