Hash & Checksum Generator

Type or paste text and see all five common hashes side-by-side, updated as you type, or drop a file to get its checksums for matching against threat feeds like VirusTotal. Everything is computed in your browser via the Web Crypto API, so your text and your files never leave the page.

Or drop a file to hash it For checking a file against threat feeds like VirusTotal. Read locally, never uploaded.
MD5⚠ broken β€” legacy only
β€”
SHA-1⚠ deprecated
β€”
SHA-256recommended default
β€”
SHA-384
β€”
SHA-512
β€”
What is a hash function?

Hashes in 30 seconds

A hash function takes any input β€” a word, a file, a billion bytes β€” and produces a fixed-size fingerprint. Same input always gives the same fingerprint. The hash is one-way: you can't recover the input from the hash.

What hashes are used for

  • File integrity β€” "this download wasn't tampered with"
  • Threat intelligence β€” a file's hash is its fingerprint in malware feeds. Hash a suspicious file here, then search the SHA-256 (or MD5) on VirusTotal or a threat database to see if it is already known.
  • Password storage β€” never store passwords; store their hash (with salt)
  • Deduplication β€” same hash = same data
  • Digital signatures β€” sign the hash, not the whole document

Which algorithm should I use?

  • SHA-256 β€” the modern default. Use this unless you have a specific reason not to.
  • SHA-512 β€” twice the output size, faster on 64-bit systems, used in some legacy systems.
  • SHA-1 β€” deprecated. Collisions have been found in practice. Don't use for new systems.
  • MD5 β€” broken since 2004. Collision attacks are trivial. Still appears in legacy file checksums (e.g., old Linux mirror lists).

For passwords, hashing isn't enough

Real password storage uses purpose-built algorithms β€” bcrypt, scrypt, argon2 β€” that are deliberately slow and accept a per-user salt. Hashing a password with SHA-256 is much, much weaker than hashing with bcrypt.