Hash Generator Guide: MD5, SHA-1, SHA-256 & SHA-512
Hash Generator Guide: MD5, SHA-1, SHA-256 & SHA-512
A hash function turns arbitrary input — a password, a file, an API payload — into a fixed-length fingerprint. Whether you are verifying a downloaded binary, storing a secret, or checking cache state, a hash generator gives you that fingerprint in one click. Try it with our Hash Generator — it runs fully in your browser, so your data never leaves the page.
This guide covers what a hash is, how MD5, SHA-1, SHA-256, and SHA-512 differ, why hashing is one-way, the most common pitfalls (like reusing MD5 for passwords), and when to reach for a tool instead of writing code.
What Is a Hash Generator?
A hash generator takes any input and passes it through a cryptographic hash function that returns a fixed-length digest. The same input always yields the same output, and even a one-character change in the input produces a completely different digest — a property you can see instantly:
SHA-256("hello") = 2cf24dba...938b9824
SHA-256("hellp") = 471e6b... (entirely different)
The defining properties are:
- Deterministic — identical input always produces the identical hash.
- One-way — you cannot reverse a hash back into the original data.
- Avalanche effect — a tiny input change flips roughly half the output bits.
- Fixed length — SHA-256 is always 64 hex characters, regardless of input size.
MD5 vs SHA-1 vs SHA-256 vs SHA-512
These are the four algorithms people actually meet in day-to-day development.
| Algorithm | Digest size | Status | Typical use |
|---|---|---|---|
| MD5 | 128 bits (32 hex) | Broken — collisions found | Legacy checksums, non-security dedup |
| SHA-1 | 160 bits (40 hex) | Broken — collisions found | Git history IDs (legacy), legacy certs |
| SHA-256 | 256 bits (64 hex) | Secure | File integrity, TLS, blockchain |
| SHA-512 | 512 bits (128 hex) | Secure | High-security signing, large inputs |
MD5 and SHA-1 are fast and convenient, but they are no longer safe for anything security-related. Use SHA-256 or SHA-512 whenever the hash protects data.
Why Hashes Are One-Way
A hash function compresses input of any length down to a fixed number of bits. Because the input space is effectively infinite and the output space is fixed, many inputs must map to the same output — the function loses information by design. That is what makes it irreversible.
This is exactly why hashes are useful for storage: you keep the digest, not the secret. An attacker who steals the hash table still does not get the raw password. (Though, as noted below, you should still salt and use a slow function for passwords.)
Hex, Base64, and Binary Output
A hash is just a sequence of bytes. Most tools display it as a hexadecimal string because hex is human-readable and compact enough, but you can also get raw binary or Base64:
- Hex — each byte becomes two characters (0–9, a–f). SHA-256 is 64 hex chars.
- Base64 — packs 3 bytes into 4 characters, so SHA-256 becomes 44 Base64 chars. More compact for transport.
- Binary — the raw 32 bytes, useful when feeding the digest into another function.
Our generator lets you copy any of these formats so the output drops straight into your code or config.
Code Examples
JavaScript
// SHA-256 of a string using the Web Crypto API (browser + Node 20+)
async function sha256(text) {
const data = new TextEncoder().encode(text);
const digest = await crypto.subtle.digest("SHA-256", data);
return [...new Uint8Array(digest)]
.map((b) => b.toString(16).padStart(2, "0"))
.join("");
}
console.log(await sha256("hello"));
// 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
Python
import hashlib
# SHA-256 (recommended for integrity and security)
print(hashlib.sha256(b"hello").hexdigest())
# MD5 — legacy / non-security use only
print(hashlib.md5(b"hello").hexdigest())
# SHA-512 — stronger, for high-security signing
print(hashlib.sha512(b"hello").hexdigest())
Both runtimes expose the same algorithms, so a digest computed in Node matches one computed in Python bit-for-bit.
Common Pitfalls
- Using MD5 or SHA-1 for passwords — they are fast and collision-prone. Use bcrypt, scrypt, or Argon2 for password storage.
- Storing unsalted hashes — identical passwords then produce identical hashes, enabling rainbow-table attacks. Always salt.
- Verifying integrity with a broken hash — MD5 collisions let an attacker craft a second file with the same digest. Use SHA-256 for integrity checks.
- Treating a hash as encryption — hashing is not encryption; there is no key and no way back. If you need to recover the data, encrypt it instead.
- Comparing hashes with
==— string comparison can leak timing information. Use a constant-time compare for secrets.
Related Tools
- Create API signatures with the HMAC Generator.
- Store passwords safely with the Bcrypt Generator.
- Generate fixed-length secrets with the Password Generator.
- Validate downloads with the Checksum Calculator.
- Encode binary blobs for transport with Base64.
When to Use a Hash Generator Instead of Code
You can call crypto.subtle.digest() in a few lines, so why open a tool? The same
answer applies as for a JSON formatter: when you just pasted a string, a log line,
or a downloaded file and want the digest now — no scaffold, no clipboard of
sensitive data sent to a server. For production pipelines, keep the code; for
ad-hoc verification and debugging, the browser tool is faster and keeps the data
local.