100% local processing - your files and data never leave your browser.
No accounts, no tracking - we don't save your credentials, files, or usage.
Free forever - donations are welcomed, but every tool is and always will be free.
Open in spirit - need a special tools..? Drop a message.
FREE TOOL · INSTANT · 100% LOCAL

HASH
GENERATOR

Generate MD5, SHA-1, SHA-256, SHA-384, SHA-512, and CRC-32 hashes from text or files. Verify file integrity, compare against expected hashes, or build HMAC keyed hashes. Real-time as you type.

Generate Hash - Free All 54 Tools
INPUT TEXT Hello, World! password123 user@email.com api-token-abc file.zip document.pdf 81 chars HASH HASHES MD5 65a8e27d88792838 SHA-1 0a0a9f2a6772942557 SHA-256 dffd6021bb2bd5b0af SHA-512 374d794a95cdcfd8b3 CRC-32 8d10b6f1
6 Algorithms at Once
Generate MD5, SHA-1, SHA-256, SHA-384, SHA-512, and CRC-32 hashes simultaneously. No mode-switching - they all update live as you type.
File Hashing
Drop any file to generate its hash - perfect for verifying downloads, checking file integrity, or matching against published checksums on release pages.
Compare Mode
Paste an expected hash and the tool highlights matching algorithms green and non-matching red. Verify file integrity at a glance.
HMAC Support
Add a secret key and get HMAC-signed hashes for SHA family. Useful for API request signing, webhook validation, and authenticated tokens.
Browser-Native Crypto
Uses the Web Crypto API for SHA hashing - same library that powers HTTPS. Cryptographically correct, fast, and works offline once loaded.
100% Local
All hashing happens in your browser. Your text, files, and secret keys never leave your device. Safe for passwords, keys, or private data.
The Tool

GENERATE HASHES

Type text, drop a file, or compare against an expected hash. All algorithms update live.

hash-generator.php · ready LIVE

1 - Choose Input Type

0 chars · 0 bytes

2 - Generated Hashes

MD5 128 bit
SHA-1 160 bit
SHA-256 256 bit
SHA-384 384 bit
SHA-512 512 bit
CRC-32 32 bit
Security note: MD5 and SHA-1 are cryptographically broken for security uses (digital signatures, password hashing). They're still useful for non-security checksums like file integrity. For security: always use SHA-256 or SHA-512.
Copied!
Process

HOW IT WORKS

Browser-native cryptographic hashing using the Web Crypto API. Same engine as your HTTPS connection.

01
Pick text or file
Type/paste text into the box, or drop any file. Files are read in chunks so big files work without freezing the browser.
02
All algorithms run at once
SHA family runs through Web Crypto (browser-native, fast). MD5 and CRC-32 use compact pure-JS implementations - all six results appear simultaneously.
03
Copy or compare
Click any copy button to grab a hash. Or paste an expected hash to verify your file matches the published checksum.
FAQ

COMMON QUESTIONS

SHA-256 - default choice for almost everything. Cryptographically secure, widely supported, fast.
SHA-512 - same security as SHA-256, slightly faster on 64-bit systems. Use when you want extra-long hashes.
SHA-1 - cryptographically broken since 2017. Only use for non-security checksums (Git uses it for content addressing).
MD5 - fully broken since 2004. Don't use for security. Still common for file checksums on download pages.
CRC-32 - not a security hash at all. It's a basic error-detection checksum, used in ZIP files and Ethernet.

HMAC (Hash-based Message Authentication Code) takes a regular hash and "signs" it with a secret key. So SHA-256("hello") is the same for everyone, but HMAC-SHA-256("hello", secret) only matches if you know the secret. Used in API request signing (Stripe, AWS, GitHub webhooks), JWTs, and message integrity. If you don't know whether you need HMAC, you probably don't.

Up to about 2 GB reliably on desktop browsers, less on mobile. Files are read in 1 MB chunks so the browser stays responsive. A 1 GB file typically takes 10-30 seconds to hash on desktop. The progress bar shows how far along you are.

"Broken" means an attacker can craft two different files with the same hash (collision attack). For verifying that an unmodified file matches the publisher's checksum on a download page, MD5 and SHA-1 are still fine - they detect random/accidental changes. They're not safe for password hashing, digital signatures, or any case where an attacker might be trying to forge a match.

No. Hashing happens entirely in your browser using the Web Crypto API and small JavaScript implementations for MD5 and CRC-32. Your text, files, and HMAC keys never leave your device. Safe to use with passwords, API keys, or any sensitive data.

Bcrypt is a slow, salted password hash - completely different from MD5/SHA which are fast checksums. Three things make it special:

1. It's intentionally slow. A SHA-256 hash takes microseconds. Bcrypt at cost 12 takes ~600ms. This is the whole point - it makes brute-forcing passwords expensive for attackers.

2. Same input = different output. Each generation uses a random salt, so hashing "password123" twice gives two different hashes. Both verify correctly. This is correct - it's not a bug.

3. The hash itself contains the salt. No need to store salt separately. The format is $2y$12$<22-char-salt><31-char-hash>.

Use bcrypt for storing user passwords. Use SHA-256 for everything else (file checksums, signatures, etc.).

Yes, fully compatible. Hashes generated here work with PHP's password_verify() and Laravel's Hash::check(). You can also paste hashes from your Laravel database into the verify field and check if a password matches.

One small detail: the JavaScript bcrypt library outputs hashes starting with $2b$ while PHP/Laravel uses $2y$. Both are interchangeable - all bcrypt verifiers (PHP, Laravel, Node, Python, Ruby) accept $2a$, $2b$, and $2y$ equally. The prefix differences are historical, not functional. So a hash generated here works in your Laravel app and vice versa, no conversion needed.

That's correct behavior - the hash of an empty string is itself a known value. MD5("") = d41d8cd98f00b204e9800998ecf8427e for example. Hashing zero bytes is mathematically valid; it just produces a fixed "empty input" fingerprint.