Hash Generator (SHA-1/256/512)
Free hash generator. Compute SHA-1, SHA-256, and SHA-512 digests of any text or string — runs entirely in the browser using the Web Crypto API.
Quick answer
SHA-1, SHA-256, and SHA-512 are cryptographic hash functions — one-way transforms that turn any input into a fixed-length output. Same input always gives the same hash; the smallest input change produces a completely different hash. Use them for integrity verification, not encryption.
Hash Generator (SHA-1, SHA-256, SHA-512)
How it works
Uses the browser's native crypto.subtle.digest() API to generate cryptographic hashes. SHA-1 is shown for legacy compatibility but is no longer considered secure for new applications. SHA-256 is the modern default. SHA-512 is the strongest of the SHA-2 family.
When to use it
Verifying file integrity (matching a published checksum), generating content-addressable identifiers, hashing data for storage, or testing hashes for development purposes.
Common mistakes
Using SHA-1 for security purposes — collisions have been demonstrated in production. Use SHA-256 or stronger. Also: hashing passwords with raw SHA functions — use a slow KDF like bcrypt, scrypt, or Argon2 for password storage.
How the hash generator works
The tool runs your input through the browser's Web Crypto API, which computes the standard cryptographic hash. SHA-1 produces 160-bit output (40 hex characters), SHA-256 produces 256-bit output (64 hex), SHA-512 produces 512-bit output (128 hex). All three are deterministic: same input always produces the same digest. SHA-1 is now considered cryptographically broken for collision resistance — use SHA-256 or higher for any security-relevant application.
When to use it
Verifying file integrity (download a file, hash it, compare to the published checksum). Computing content-addressable identifiers (Git uses SHA-1; modern systems use SHA-256). Generating fingerprints for caching or deduplication. Checking whether a password matches a stored hash (always with proper salt and a slow hash like bcrypt — never raw SHA for passwords).
Common mistakes
- Using SHA for password storage. SHA is fast — exactly what you don't want for passwords. Use bcrypt, scrypt, or Argon2 with a unique salt per user.
- Treating hashes as encryption. Hashes are one-way; encryption is two-way. You can't 'decrypt' a SHA-256 hash. If you need to recover the original, hashing isn't the right tool.
- Trusting SHA-1 for new applications. Collisions are now demonstrable in practice. SHA-256 is the modern default; SHA-512 if you specifically need the longer digest.
Frequently asked questions
What's the difference between SHA-1, SHA-256, and SHA-512?
All three are cryptographic hash functions. SHA-1 produces a 160-bit (40-hex) digest, SHA-256 produces 256-bit (64-hex), SHA-512 produces 512-bit (128-hex). Larger digests are more resistant to brute-force collision attacks. SHA-1 is deprecated for security-relevant use.
Is hashing the same as encryption?
No. Hashing is one-way — you cannot recover the input from the hash. Encryption is two-way — you can decrypt with the right key. Use hashing for integrity checks and content addressing; use encryption for confidentiality.
Can I use this hash generator for passwords?
No. Passwords need slow, salted hash functions (bcrypt, scrypt, Argon2) to resist brute-force attacks. The SHA family is fast by design — exactly the wrong property for password storage.