CodeToolProCodeToolPro
GitHub
Generators·8 min read

Hash Generator Guide: MD5, SHA-1, SHA-256 & SHA-512

CodeToolPro Team·

Hash Generator Guide: MD5, SHA-1, SHA-256 & SHA-512

A hash function turns arbitrary input — a password, a file, an API payload — into a fixed-length fingerprint. Whether you are verifying a downloaded binary, storing a secret, or checking cache state, a hash generator gives you that fingerprint in one click. Try it with our Hash Generator — it runs fully in your browser, so your data never leaves the page.

This guide covers what a hash is, how MD5, SHA-1, SHA-256, and SHA-512 differ, why hashing is one-way, the most common pitfalls (like reusing MD5 for passwords), and when to reach for a tool instead of writing code.

What Is a Hash Generator?

A hash generator takes any input and passes it through a cryptographic hash function that returns a fixed-length digest. The same input always yields the same output, and even a one-character change in the input produces a completely different digest — a property you can see instantly:

SHA-256("hello")  = 2cf24dba...938b9824
SHA-256("hellp")  = 471e6b... (entirely different)

The defining properties are:

  • Deterministic — identical input always produces the identical hash.
  • One-way — you cannot reverse a hash back into the original data.
  • Avalanche effect — a tiny input change flips roughly half the output bits.
  • Fixed length — SHA-256 is always 64 hex characters, regardless of input size.

MD5 vs SHA-1 vs SHA-256 vs SHA-512

These are the four algorithms people actually meet in day-to-day development.

AlgorithmDigest sizeStatusTypical use
MD5128 bits (32 hex)Broken — collisions foundLegacy checksums, non-security dedup
SHA-1160 bits (40 hex)Broken — collisions foundGit history IDs (legacy), legacy certs
SHA-256256 bits (64 hex)SecureFile integrity, TLS, blockchain
SHA-512512 bits (128 hex)SecureHigh-security signing, large inputs

MD5 and SHA-1 are fast and convenient, but they are no longer safe for anything security-related. Use SHA-256 or SHA-512 whenever the hash protects data.

Why Hashes Are One-Way

A hash function compresses input of any length down to a fixed number of bits. Because the input space is effectively infinite and the output space is fixed, many inputs must map to the same output — the function loses information by design. That is what makes it irreversible.

This is exactly why hashes are useful for storage: you keep the digest, not the secret. An attacker who steals the hash table still does not get the raw password. (Though, as noted below, you should still salt and use a slow function for passwords.)

Hex, Base64, and Binary Output

A hash is just a sequence of bytes. Most tools display it as a hexadecimal string because hex is human-readable and compact enough, but you can also get raw binary or Base64:

  • Hex — each byte becomes two characters (0–9, a–f). SHA-256 is 64 hex chars.
  • Base64 — packs 3 bytes into 4 characters, so SHA-256 becomes 44 Base64 chars. More compact for transport.
  • Binary — the raw 32 bytes, useful when feeding the digest into another function.

Our generator lets you copy any of these formats so the output drops straight into your code or config.

Code Examples

JavaScript

// SHA-256 of a string using the Web Crypto API (browser + Node 20+)
async function sha256(text) {
  const data = new TextEncoder().encode(text);
  const digest = await crypto.subtle.digest("SHA-256", data);
  return [...new Uint8Array(digest)]
    .map((b) => b.toString(16).padStart(2, "0"))
    .join("");
}

console.log(await sha256("hello"));
// 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Python

import hashlib

# SHA-256 (recommended for integrity and security)
print(hashlib.sha256(b"hello").hexdigest())

# MD5 — legacy / non-security use only
print(hashlib.md5(b"hello").hexdigest())

# SHA-512 — stronger, for high-security signing
print(hashlib.sha512(b"hello").hexdigest())

Both runtimes expose the same algorithms, so a digest computed in Node matches one computed in Python bit-for-bit.

Common Pitfalls

  • Using MD5 or SHA-1 for passwords — they are fast and collision-prone. Use bcrypt, scrypt, or Argon2 for password storage.
  • Storing unsalted hashes — identical passwords then produce identical hashes, enabling rainbow-table attacks. Always salt.
  • Verifying integrity with a broken hash — MD5 collisions let an attacker craft a second file with the same digest. Use SHA-256 for integrity checks.
  • Treating a hash as encryption — hashing is not encryption; there is no key and no way back. If you need to recover the data, encrypt it instead.
  • Comparing hashes with == — string comparison can leak timing information. Use a constant-time compare for secrets.

Related Tools

When to Use a Hash Generator Instead of Code

You can call crypto.subtle.digest() in a few lines, so why open a tool? The same answer applies as for a JSON formatter: when you just pasted a string, a log line, or a downloaded file and want the digest now — no scaffold, no clipboard of sensitive data sent to a server. For production pipelines, keep the code; for ad-hoc verification and debugging, the browser tool is faster and keeps the data local.