Hash Generator
Generate various hash values (MD5, SHA-1, SHA-256, SHA-512) from text or files. Supports real-time hash calculation and file hash computation.
Generate Hash
Calculate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files. Use for file integrity verification, checksums, and digital signatures.
Hash Function Tips & Best Practices
Understand when to use different hash algorithms, security considerations, and practical applications for file integrity, digital signatures, and more.
MD5 is cryptographically broken and should NOT be used for security purposes:
- Collision attacks have been demonstrated since 2005
- Can generate different inputs with same MD5 hash
- Rainbow tables exist for common passwords
- Still OK for non-security checksums (file downloads)
Use SHA-256 or better for any security-related purpose.
No! SHA-256/512 are designed to be fast, which is terrible for password security:
- Attackers can try billions of passwords per second
- No built-in salt or work factor
- Vulnerable to GPU and ASIC attacks
For passwords, use dedicated algorithms:
- Argon2id: Winner of 2015 Password Hashing Competition
- bcrypt: Still solid with cost factor ≥12
- scrypt: Good memory-hard alternative
For file integrity verification, speed is actually beneficial:
- SHA-256: Current standard, widely supported
- SHA-512: Better for very large files (64-bit optimized)
- BLAKE2b: Faster than SHA, equally secure
- SHA-3: Alternative with different design
Example uses: software downloads, backup verification, deduplication
Hash length directly impacts security and collision resistance:
- MD5: 128 bits (32 hex chars) - Too short
- SHA-1: 160 bits (40 hex chars) - Deprecated
- SHA-256: 256 bits (64 hex chars) - Recommended minimum
- SHA-512: 512 bits (128 hex chars) - Higher security margin
Longer hashes = exponentially harder to find collisions. SHA-256 provides 128-bit collision resistance, considered unbreakable with current technology.
Git uses SHA-1 for content addressing, not security:
- Every commit, file, and tree has a SHA-1 identifier
- Enables distributed version control and deduplication
- Git is transitioning to SHA-256 for future-proofing
- Collision attacks on Git require very specific conditions
The risk is low because Git checks for identical SHA-1s, and attackers need to inject malicious content at commit time.
A salt is random data added to passwords before hashing:
- Prevents rainbow table attacks
- Makes identical passwords hash differently
- Should be unique per password
- Stored alongside the hash (not secret)
Note: The hash functions in this tool (MD5, SHA) don't include salts. They're deterministic - same input always gives same output. Password hashing libraries handle salting automatically.
Understanding the age helps assess their security:
- MD5 (1991): Broken, only for legacy support
- SHA-1 (1995): Officially broken in 2017
- SHA-256/512 (2001): Part of SHA-2, still secure
- SHA-3 (2015): Latest standard, different design
- BLAKE2 (2012): Modern alternative, very fast
Rule of thumb: Use algorithms from 2000 or later for security-critical applications.
Cryptographic hash functions must satisfy these properties:
- Deterministic: Same input → same output
- Fast computation: Quick to calculate hash
- Pre-image resistance: Can't reverse hash to input
- Collision resistance: Hard to find two inputs with same hash
- Avalanche effect: Small input change → completely different hash
Non-cryptographic hashes (like CRC32) are only for error detection, not security.