# Hash Generator

Generate SHA-1, SHA-256, SHA-384, SHA-512 hashes using the browser's native Web Crypto API. Nothing leaves your device.

Input Text

⚠️ Security note: MD5 and SHA-1 are cryptographically broken and should not be used for passwords or security-sensitive hashing. Use SHA-256 or SHA-512 for security applications.

Complete Guide

📊 Key Data Points

SHA-256 for verification

SHA-256 is the standard for content integrity verification — file checksums, API request signing, and digital certificates

MD5 is not secure

MD5 is broken for cryptographic use — do not use it for password hashing. Use bcrypt, Argon2, or scrypt.

HMAC-SHA256

Hash-based Message Authentication Code — used for API request signing (AWS, Stripe, GitHub webhooks)

Hash Generator — MD5 SHA256 HMAC -- Complete USA Guide 2026

Hashing is fundamental to security: password storage, content verification, API request signing, and digital signatures all use hash functions. Choosing the wrong hash algorithm (MD5 for password storage) or misunderstanding HMAC vs plain hashing is a common security mistake.

This generator computes MD5, SHA-1, SHA-256, SHA-512, and HMAC-SHA256 with an optional key. Runs in your browser using the Web Crypto API.

**Long-tail searches answered here:** hash generator online free, md5 sha256 hash calculator browser, HMAC SHA256 generator with key free online.

For password hashing specifically, use bcrypt via a proper library — never MD5.

🔬 How This Calculator Works

Computes MD5, SHA-1, SHA-256, SHA-512, and SHA-3 hashes of any input string, plus HMAC-SHA256 with a user-provided key. SHA family uses the browser Web Crypto API — a native cryptographic implementation. Shows hash in hex and Base64 formats. Updates in real time as you type.

✅ What You Can Calculate

HMAC-SHA256 with key

Generates HMAC-SHA256 (Hash-based Message Authentication Code) — the standard for API request signing (AWS Signature V4, Stripe webhooks). Enter the message and secret key.

Multiple hash algorithms

MD5, SHA-1, SHA-256, SHA-512, and SHA-3 computed simultaneously from the same input for comparison.

Web Crypto API

SHA family uses the browser native Web Crypto API — a native cryptographic implementation that is faster and more secure than JavaScript libraries.

Multiple output formats

Shows hash output in hexadecimal (most common) and Base64 (for compact representation).

🎯 Real Scenarios & Use Cases

Content integrity verification

Compute the SHA-256 hash of a file or text before and after transmission to verify integrity — the hash should be identical if content was not modified.

API request signing verification

Verify that your HMAC-SHA256 request signing implementation produces the expected hash for a known input before testing against the actual API.

Deduplication key generation

Generate a hash of a large content block to use as a deduplication key — objects with the same hash are likely identical.

JWT signature debugging

Manually compute the HMAC-SHA256 of a JWT header.payload using the secret key to verify the signature matches what the JWT library produces.

💡 Pro Tips for Accurate Results

MD5 is not secure for passwords. MD5 is broken for cryptographic use — do not use it for password hashing. Use bcrypt, Argon2, or scrypt. MD5 is acceptable for checksums and non-security-sensitive deduplication.

SHA-256 for content verification. SHA-256 is the standard for content integrity verification — file checksums, API request signing, and digital certificates.

Input encoding affects the hash. Hello and Hello with trailing space produce completely different hashes. The String Inspector shows exactly what bytes your input contains.

HMAC for API signing. An HMAC is a hash of the message + a secret key. API request signing (AWS Signature V4, Stripe webhooks) uses HMAC-SHA256. Enter both the message and key here.

🔗 Use These Together

JWT Decoder→Password Generator→Base64 Encoder→RSA Key Info→String Hash Calculator→URL Encoder→String Inspector→Character Encoder→

🏁 Bottom Line

Hashing is fundamental to security — content integrity, API authentication, and digital signatures all depend on correct hash function usage. This generator supports both plain hashing and HMAC-SHA256 for API request signing. For password hashing: use bcrypt via a proper library — never MD5.

Which hash algorithm should I use?

For any security-sensitive application: SHA-256 or SHA-512. MD5 and SHA-1 are cryptographically broken — collision attacks have been demonstrated against both (MD5 collisions in seconds on modern hardware, SHA-1 in 2017 with SHAttered). Use MD5 only for non-security checksums where speed matters and collision resistance is not required. For modern security uses — password hashing foundation, digital signatures, data integrity — SHA-256 minimum.

Is this suitable for hashing passwords for database storage?

No — SHA-256 and SHA-512 are too fast for password storage. A modern GPU computes billions of SHA-256 hashes per second, making brute-force attacks against leaked hash databases practical. Passwords must be hashed with a slow, memory-hard algorithm: bcrypt (cost factor 12+), scrypt, Argon2id, or PBKDF2 with 600,000+ iterations. These are intentionally slow. Use this Hash Generator for checksums, HMAC signing, data deduplication, and API request verification — not for storing user passwords.

What is the practical difference between SHA-256 and SHA-512?

SHA-256: 256-bit output (64 hex characters). SHA-512: 512-bit output (128 hex characters). SHA-512 provides higher theoretical security margin but is practically overkill — no known attack against either is feasible. SHA-512 can be faster on 64-bit CPUs for large inputs because it operates on 64-bit words internally. SHA-256 is the de facto standard (used by TLS certificates, Git, Bitcoin, and most modern systems). Use SHA-512 when specifically required or for maximum long-term archival margin.

What is an HMAC and how is it different from a plain hash?

A plain hash (SHA-256 of 'hello') is reproducible by anyone who knows the input. An HMAC mixes a secret key into the hash: HMAC = hash(key XOR opad || hash(key XOR ipad || message)). Only someone with the key can produce or verify it. HMACs are used for: signing API requests (AWS Signature Version 4 uses HMAC-SHA256), verifying webhook payloads (GitHub, Stripe include HMAC-SHA256 signatures), and JWT HS256 tokens.

How do I verify a file checksum?

Generate the hash of your downloaded file using the same algorithm listed on the download page (usually MD5 or SHA-256). Compare to the published checksum character by character. If they match, the file arrived intact. If they differ, the file was corrupted in transit or tampered with. For large binary files, the terminal is faster: sha256sum filename on Linux/Mac, certutil -hashfile filename SHA256 on Windows.

Why does the same input always produce the same hash output?

Hash functions are deterministic by design. This determinism is their primary utility: compute a hash of known-good data, store it, later hash the received data and compare. If hashes match, the data is identical. This is also why password storage requires salting: without a unique random salt per user, two users with the same password have the same hash, enabling precomputed rainbow table attacks against both simultaneously.

What other tools work alongside the Hash Generator?

The Password Generator creates strong random secrets that are often used as HMAC keys. The Base64 Encoder converts binary hash output to Base64 strings for HTTP headers — many API signature schemes transmit HMAC-SHA256 results as Base64. The JWT Decoder shows the algorithm used in a JWT header (often HS256 = HMAC-SHA256). The String Hash Calculator provides additional algorithms and comparison features. All are in the Dev Tools section.