Werkery

Hash Generator (MD5, SHA-1, SHA-256, SHA-512)

Compute cryptographic hashes of text — MD5, SHA-1, SHA-256, SHA-384, SHA-512. All hashing runs in your browser via the Web Crypto API; nothing is uploaded.

Tool by ·
ad slot ()
ad slot ()

How it works

  1. 1
    Type or paste text
    The input is UTF-8 encoded for hashing.
  2. 2
    Pick algorithm
    MD5, SHA-1, SHA-256, SHA-384, or SHA-512.
  3. 3
    Copy
    Hex output, lowercase, no separator.

Cryptographic hashes in 2026: which to use, which to retire

What a hash function actually guarantees

A cryptographic hash function takes an arbitrary-length input and produces a fixed-size output (the digest). Three properties matter: (1) preimage resistance — given a digest, finding any input that produces it should be infeasible. (2) second-preimage resistance — given an input, finding a different input with the same digest should be infeasible. (3) collision resistance — finding any two distinct inputs with the same digest should be infeasible.

When a hash function 'breaks,' one of these properties has been violated by a practical attack. MD5 collisions can be computed in seconds on a laptop. SHA-1 collisions cost a few thousand dollars in cloud compute (SHAttered, 2017). SHA-256 has no known practical attack and remains the workhorse of modern systems.

The SHA-2 family

NIST published SHA-2 in 2001: four variants — SHA-224, SHA-256, SHA-384, SHA-512 — with the suffix indicating digest length in bits. SHA-256 is the most widely used: Bitcoin's mining, TLS certificates, signed commits, container image IDs, Docker layer hashes. SHA-512 is faster than SHA-256 on 64-bit CPUs (it operates on 64-bit words natively).

All SHA-2 variants share the same Merkle-Damgård construction. This means they're vulnerable to length-extension attacks — if you know `H(secret || message)`, you can compute `H(secret || message || padding || extra)` without knowing the secret. Don't build MACs by concatenation; use HMAC instead (the Web Crypto `HMAC` algorithm wraps SHA properly).

SHA-3 and where it fits

SHA-3 (Keccak), standardized in 2015, uses a completely different construction (sponge functions) and is immune to length-extension. It's slower than SHA-256 in software but faster in hardware. Adoption has been slow — most code that needs a modern hash still picks SHA-256 because it's already everywhere.

Use SHA-3 if you're building something where length-extension matters and you can't use HMAC, or where future-proofing matters more than performance. For most applications in 2026, SHA-256 is still the safe default.

Hashes are NOT for passwords

A single SHA-256 computation takes nanoseconds. A modern GPU can compute billions per second. If your password database leaks and you stored `SHA256(password)`, attackers will brute-force every weak password in hours.

Password hashes are deliberately slow: Argon2id (winner of the 2015 Password Hashing Competition), scrypt, and bcrypt all parameterize CPU/memory cost so one verification takes ~100ms. They also salt per-user to defeat rainbow tables. If you're storing passwords, use a library wrapper (libsodium, passlib, bcryptjs) — never roll your own.

Hashes are NOT encryption

A hash is one-way: you cannot recover the input from the digest. This is the opposite of encryption. People sometimes call a hash 'encrypting' a password — they mean 'storing the hash instead of the plaintext.' The terminology matters: encryption (AES, ChaCha20) implies a key that can decrypt; hashing implies no key and no recovery.

If you need to store something you'll later need back — API tokens, OAuth credentials, encryption keys — use encryption (AES-256-GCM with a key from a KMS), not hashing. If you need to verify a value without storing it — passwords, OTPs — hash it (with a slow KDF for passwords).

Frequently asked

Which hash should I use?

For new applications: SHA-256 is the right default. SHA-512 is faster on 64-bit CPUs and produces a longer digest. Avoid MD5 and SHA-1 for anything security-sensitive — both have practical collision attacks. Use them only for checksums of trusted content (file integrity verification, cache keys).

Is this a password hash?

No — and you should not use SHA-256 directly for passwords. Password hashes need to be slow and salted: use Argon2id, scrypt, or bcrypt with a per-user salt. A plain SHA-256 of a password is brute-forceable at billions of guesses per second on modern GPUs.

Why is MD5 here if it's broken?

MD5 is broken for cryptographic uses (collisions are trivial to compute), but it's still widely deployed as a non-security checksum: ETags, file deduplication, AWS object ETag, ed2k links. Computing one to compare against an existing value is a legitimate use.

Get new tools first.

One tool per week. No ads. Unsubscribe anytime.

Related tools

Password Generator
Generate strong, cryptographically random passwords up to 64 characters. Pick character sets, exclude ambiguous chars, see real-time entropy strength. 100% client-side — passwords never leave your browser.
UUID Generator (v4, v7)
Generate cryptographically random UUIDs (v4) or time-ordered UUIDs (v7) — up to 100 at once. Pure client-side, no server roundtrip.
Base64 Encoder / Decoder
Encode text or binary to Base64, or decode Base64 back to plain text. Supports URL-safe variant and UTF-8. All processing runs in your browser — nothing is uploaded.
Termination Letter Generator
Create a legally sound termination letter for your apartment, employment contract, mobile phone contract, gym membership, or insurance — in seconds, AI-powered.
Rent Reduction Calculator
Calculate the permissible rent reduction for housing defects (mould, heating failure, noise) and generate a defect notice letter to your landlord.
Garnishment Exemption Calculator 2026
Calculate your protected income based on the current garnishment table 2026 (valid since July 1, 2025). Includes maintenance obligations.
Tool designed and editorially reviewed by Felix Brübach. Text drafted with AI assistance and reviewed for legal and factual accuracy before publication. Not legal advice — for complex cases, consult a lawyer.
ad slot ()