All processing runs in your browser — no files or inputs are uploaded to a server.
Type or paste text in the top pane and four hashes — MD5, SHA-1, SHA-256, SHA-512 — appear immediately, each with its own copy button. The "uppercase output" toggle switches the hex digits between lowercase and uppercase, which matters when comparing against a checksum file that uses one casing or the other.
Input is UTF-8 encoded before hashing, so the same text produces identical hashes across languages, editors, and platforms — as long as nothing slipped in a BOM or trailing newline. Hashing runs on Web Crypto for SHA family; MD5 is computed inline because browsers do not expose it. Everything stays in your browser.
MD5 d41d8cd98f00b204e9800998ecf8427e SHA-1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA-256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SHA-512 cf83e1357eefb8bd…(128 chars)
These constants are worth recognizing — if your code accidentally hashes an empty buffer, you will spot it instantly in logs.
The quick brown fox jumps over the lazy dog
SHA-256 d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592
For binary files, compute the checksum locally with shasum -a 256 file (macOS / Linux) or Get-FileHash file -Algorithm SHA256 (PowerShell) and compare. This tool hashes text only.
hello
hello → SHA-256 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 hellO → SHA-256 fd66d4c87b3df9408a4d6ab27a25aaba53d3f9697f9e1bf2eb0067be4f01f17a
A single bit flip in the input scrambles the entire output — the defining property of a cryptographic hash.
No. Both are fast by design and broken against collision attacks. Modern GPU rigs run billions of guesses per second. For passwords use a password-hashing function — bcrypt, scrypt, or Argon2 — with a per-user salt. General-purpose hashes are for integrity checks, not credentials.
Not directly — input is text only. For binary files, hash on your machine with shasum, sha256sum, certutil, or Get-FileHash. Pasting a file's text content here works for small text files, but copying through the clipboard often adds line-ending or whitespace changes that shift the hash.
Most often it is an invisible difference in the input — a trailing newline, a BOM at the start, CRLF vs LF line endings, or the wrong encoding. Try stripping whitespace, normalizing newlines to LF, and removing any BOM. A single byte changes the entire hash.
No — hashing is one-way. From a hash you cannot recover the input. Encryption is reversible with the right key. Hashes are for "are these two things identical?" (checksums, signatures, deduplication); encryption is for "keep this private from anyone without the key."
SHA-256 is the safe default for general integrity checks — checksums, content addressing, signature inputs. Use SHA-512 if you specifically need a longer digest, BLAKE3 if you need maximum speed (not included here, but worth knowing). Avoid MD5 and SHA-1 unless you are reproducing a legacy protocol that requires them.
A cryptographic hash function turns any input into a fixed-length digest with three core properties: pre-image resistance (cannot reverse the digest to recover the input), second-pre-image resistance (cannot construct another input with the same digest), and collision resistance (cannot find any two inputs sharing a digest). When all three hold, the digest is a usable fingerprint.
MD5 (128-bit) and SHA-1 (160-bit) lost collision resistance years ago — practical collisions are public — so they should appear only in non-security contexts like file deduplication or cache keys. SHA-2 (SHA-256, SHA-512) remains current for integrity work. None of these are appropriate for password storage because they are designed to be fast: an attacker with stolen hashes can brute-force billions of guesses per second on commodity hardware. Password hashes (bcrypt, scrypt, Argon2) deliberately slow down by adding salt, memory cost, and adjustable iteration counts.
Format and validate JSON. Indented or minified output, with clear error messages.
Encode text to Base64 or decode Base64 back to text. UTF-8 safe.
Percent-encode or decode URL components.
Decode JWT header and payload locally. Signature is not verified — paste tokens at your discretion.
MD5 and SHA-1 are broken for cryptographic use. Use SHA-256 or SHA-512 for security; MD5/SHA-1 only for non-security checksums.
