What is the difference between MD5, SHA-1, and SHA-256?

MD5 produces a 128-bit (32 hex character) hash and is fast but cryptographically broken — researchers can generate collisions (two different inputs with the same hash) relatively easily. SHA-1 produces a 160-bit hash and is also considered cryptographically weak. SHA-256 (part of the SHA-2 family) produces a 256-bit hash and is currently considered secure against known attacks. SHA-512 produces a 512-bit hash. For security purposes, use SHA-256 or SHA-512. For file checksums and non-security data integrity checks, MD5 and SHA-1 are still widely used.

Can I reverse a hash back to the original text?

No. Hash functions are one-way by design — there is no mathematical way to reverse them. However, for short or common inputs, rainbow tables (precomputed lists of hash values) can be used to look up the original value. This is why password hashing must use salted, slow algorithms like bcrypt, scrypt, or Argon2 rather than SHA-256 — these algorithms add a random salt and use deliberate computational slowness to defeat rainbow table attacks.

Is it safe to hash passwords with SHA-256?

No — never use SHA-256 (or any general-purpose hash function) directly for password storage. SHA-256 is extremely fast, which means attackers can compute billions of hashes per second using GPUs. Password hashing requires slow algorithms specifically designed for the purpose: bcrypt, scrypt, Argon2id, or PBKDF2 with a high iteration count. These algorithms are intentionally slow and include a random salt per password to prevent rainbow table attacks.

How do I use hash verification to check file integrity?

Software distributors often publish SHA-256 checksums alongside downloads. After downloading a file, hash it with SHA-256 and compare the result to the published checksum. If they match, the file has not been tampered with or corrupted in transit. If they differ, do not use the file — it may be corrupted or maliciously modified.

How to Generate a Hash (MD5, SHA-256) Online

Generate cryptographic hashes for any text or file with our free Hash Generator. Supports MD5, SHA-1, SHA-256, SHA-512, and more.

Steps

Select a hashing algorithm

Choose the algorithm you need. For security-critical use cases like password storage, use SHA-256 or SHA-512. For data integrity verification (checksums), MD5 or SHA-1 are still widely used despite their cryptographic weaknesses. For modern security applications, SHA-256 is the recommended minimum.

Enter your text or upload a file

Type or paste the text you want to hash into the input field, or upload a file to generate its checksum. Every unique input produces a unique hash — even a single character difference produces a completely different output.

Generate the hash

Click Generate Hash. The hash is computed instantly in your browser and displayed in the output field. The tool shows the hash in hexadecimal format, which is the standard representation.

Copy the hash

Click Copy to copy the hash to your clipboard. Hashes are typically 32 characters (MD5), 40 characters (SHA-1), 64 characters (SHA-256), or 128 characters (SHA-512) in hexadecimal.

Verify by re-hashing

To verify that a file or text has not changed, hash it again and compare the two hashes. If they are identical, the content is unchanged. If even one bit is different, the hashes will be completely different — this property is called the avalanche effect.

How Cryptographic Hash Functions Work

A cryptographic hash function takes an input of any size and produces a fixed-size output (the hash or digest) with three critical properties. First, determinism: the same input always produces the same output. Second, the avalanche effect: a tiny change in the input (even one character or bit) produces a completely different output — hash functions do not change 'gradually'. Third, one-way: it is computationally infeasible to reverse the hash to find the original input. Fourth, collision resistance: it should be computationally infeasible to find two different inputs that produce the same hash. These properties make hash functions essential for data integrity verification, digital signatures, hash-based message authentication codes (HMAC), and as building blocks for other cryptographic protocols.

Practical Uses of Hashing in Software Development

Hashing appears throughout software development in ways you may not immediately recognise. Database indexing uses hashing for hash tables and hash indexes. Version control systems like Git identify every commit, file, and tree by its SHA-1 (moving to SHA-256) hash. Content delivery networks use hash-based cache keys to determine if content has changed. API request signing uses HMAC (Hash-based Message Authentication Code) to verify that a request came from a legitimate source and was not modified in transit. Blockchain and cryptocurrency use SHA-256 extensively in the proof-of-work algorithm and for address generation. Caching systems use hash functions to generate cache keys from complex objects. Deduplication systems hash files to identify and remove duplicates without comparing bytes.

HMAC: Hashing for Message Authentication

A plain hash only verifies data integrity — it does not prove who created it, because anyone can compute a hash. HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to create a keyed hash that only someone with the key can produce or verify. HMAC is used for: JWT signature verification (the HMAC-SHA256 algorithm signs JWT tokens), API request authentication (AWS Signature Version 4, Stripe webhooks), cookie signing to prevent tampering, and CSRF token verification. When you see an algorithm like HS256 in a JWT header, that is HMAC-SHA256. The key insight is that HMAC provides both integrity (the message was not altered) and authenticity (the message was created by someone with the secret key).