What is the difference between MD5 and SHA-256?

MD5 produces a 128-bit (32-character hex) digest and is fast, but is no longer considered cryptographically secure against collision attacks. SHA-256 produces a 256-bit (64-character hex) digest and is part of the SHA-2 family, which is recommended for security-sensitive use cases such as digital signatures and certificate verification.

Is it safe to hash sensitive data in this tool?

Yes. All hashing runs entirely in your browser using the Web Crypto API and a JavaScript MD5 library. No data is ever uploaded to a server. You can verify this by checking the network tab in your browser developer tools.

Can I hash a file with this tool?

Yes. Use the file hashing section to drop or select a file. SHA-1, SHA-256, and SHA-512 are computed via the browser Web Crypto API on the full binary content. MD5 is also computed for file contents using the bundled js-md5 library.

Utility

Hash Generator

Compute MD5, SHA-1, SHA-256, and SHA-512 hashes right in your browser. Everything runs locally; nothing is uploaded or stored.

On-device
No upload
Works offline

Hash generator

MD5 and SHA digests

Text hashing

MD5 SHA-1 SHA-256 SHA-512

File hashing

Choose a file or drag it here

Any file type. Computed locally in your browser.

Hashing runs on-device. Your text and files are never uploaded.

About this tool

This tool computes MD5, SHA-1, SHA-256, and SHA-512 digests for any text you type or paste. You can also drop any file to get its checksum. All computation happens in your browser using the Web Crypto API (for SHA variants) and the js-md5 library for MD5.

Results update live as you type. Copy any hash with the Copy button next to it.

Algorithms explained

MD5: 128-bit digest (32 hex chars). Fast and widely used for checksums, but not safe for cryptographic signatures. Collision attacks are well-known.
SHA-1: 160-bit digest (40 hex chars). Deprecated for security-sensitive uses. Still common in Git object IDs and some legacy systems.
SHA-256: 256-bit digest (64 hex chars). Part of the SHA-2 family. The go-to choice for secure hashing today, used in TLS, code signing, and blockchains.
SHA-512: 512-bit digest (128 hex chars). Larger output, faster than SHA-256 on 64-bit CPUs. Used when extra collision resistance is needed.

Tips

Use SHA-256 for any security-sensitive checksum, such as verifying an APK download.
MD5 and SHA-1 are fine for non-security integrity checks where speed matters.
Hashes are case-insensitive. BA7816BF... and ba7816bf... refer to the same digest.
Even a single added space changes the output entirely. That's the avalanche effect.

About Hash Generator

A cryptographic hash function takes any input and produces a fixed-length fingerprint called a digest. The same input always produces the same digest; a tiny change produces a completely different one. This tool lets you compute four of the most common digests instantly, without sending your data anywhere.

When to use each algorithm

MD5 is the fastest option and produces the shortest output (32 characters). It is the standard choice for non-security checksums, such as detecting accidental file corruption or confirming a cache hit. You should not use it to verify trust, because crafting two inputs with the same MD5 hash is computationally feasible.

SHA-1 produces a 40-character digest and was the industry standard through the 2000s. Git still uses it for object IDs. However, it has been formally broken for collision resistance since 2017, so prefer SHA-256 for anything security-related.

SHA-256 is the current recommended default. At 64 characters it balances size and security well, and it is required by many modern standards including TLS certificates and code-signing pipelines. If you are verifying an APK you downloaded, use SHA-256.

SHA-512 is the strongest of the four. Its 128-character output provides enormous collision resistance. On modern 64-bit hardware it can actually be faster than SHA-256 for large inputs. Use it when you need the highest confidence in data integrity.

How file hashing works

When you drop a file, your browser reads its raw bytes into memory using the File API. The bytes are passed directly to the Web Crypto subtle.digest function for SHA variants, and to js-md5 for the MD5 column. The file never leaves your device; the network tab in your browser developer tools will confirm zero outgoing requests.

Frequently asked questions

What is a hash and why does it matter?

A hash is a fixed-length fingerprint of any data. Because even a one-bit change produces a completely different fingerprint, hashes let you confirm that a file arrived intact, that a password matches without storing it in plain text, or that two pieces of data are identical without comparing them byte by byte.

Is MD5 safe to use?

MD5 is safe for detecting accidental corruption (like comparing a download against a posted checksum) but it is not safe for cryptographic purposes. Chosen-prefix collision attacks mean an attacker can craft two different files with the same MD5. Use SHA-256 or SHA-512 whenever trust is on the line.

Why does my file's SHA-256 not match what the developer posted?

The most common reason is a corrupted or partial download. Re-download the file and try again. Also check whether the developer's checksum was computed on a compressed archive (like a .zip) rather than the extracted file, or vice versa. Encoding format (hex vs. Base64) can also cause an apparent mismatch.

Can I hash large files?

Yes. The Web Crypto API streams the file buffer through the digest function without needing to hold multiple copies. Very large files (several gigabytes) may take a few seconds but should complete without issue on a modern device. The MD5 column uses js-md5, which also handles arbitrary-length input.