Hash Generator
MD5, SHA-1, SHA-256, SHA-384, SHA-512 of text or files in your browser. Hex / Base64 / Base64url.
published
- [FREE]
- [NO_SIGNUP]
- [NO_UPLOAD]
A hash generator computes a fixed-size digest (MD5, SHA-1, SHA-256, SHA-384, SHA-512) of text or a file. This tool runs every algorithm in your browser at once — WebCrypto for the SHA family, a bundled MD5 library for legacy compatibility — and shows hex, base64, and base64url encodings side by side.
How to use the hash generator
- Pick a mode. Text hashes whatever you paste, live. File hashes any file you drop or pick — the bytes never leave your browser.
- Pick an encoding. Hex (lowercase) is the conventional CLI form. Base64 is shorter; base64url is what JWT signatures and many HTTP-header values use.
- Read all five at once. Every algorithm runs simultaneously. No tab-switching, no “compute” button — text mode hashes on every keystroke.
- Optional: verify against an expected hash. Paste the hash you expect, and the Match column shows ✓ or ✗ next to each row. The comparison is case-insensitive for hex; the encoding selector applies to everything.
- Copy, download, or share. Per-row Copy button. Copy share link round-trips text-mode state via URL hash (file mode can’t share — files don’t fit in a URL).
When to use which algorithm
| Algorithm | Bits | When to use | When NOT to use |
|---|---|---|---|
| MD5 | 128 | Fast non-adversarial checksums: download integrity from a trusted source, cache keys, detecting accidental file corruption. | Anything where an attacker chooses input. Password hashing (use bcrypt/argon2). Digital signatures. Certificate pinning. |
| SHA-1 | 160 | git object IDs (still SHA-1 internally), legacy AWS V2 signatures, older TLS hashes. | New code. Use SHA-256 instead. Practical collisions since 2017 (SHAttered). |
| SHA-256 | 256 | Default modern choice. TLS, JWT (HS256/RS256/ES256), Bitcoin, file integrity for security-relevant use. | Need very long digests for hash-chain length? Use SHA-512. |
| SHA-384 | 384 | TLS ECDSA suites (P-384 curve), JWT ES384. Specific compliance regimes. | Most use cases — SHA-256 is faster and sufficient. |
| SHA-512 | 512 | SSH keys, password storage (with PBKDF2/bcrypt/argon2 KDF wrapper), 64-bit-system optimization (faster than SHA-256 on 64-bit). | When you need a shorter digest — SHA-512 outputs 128 hex chars. |
Worked examples
Verifying a download
A project lists sha256sum: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 for its download. You want to verify locally without uploading the file to a stranger’s server.
- Switch to File mode.
- Drop the downloaded file into the picker.
- Find the SHA-256 row.
- Paste the published hash into the Verify field.
- SHA-256 row shows ✓ — file is intact.
This works for any algorithm the download page publishes (md5sum, sha1sum, sha256sum, sha512sum). The browser computes the hash from the bytes on disk; no upload happens.
Generating a cache key
You want a deterministic key for a downstream cache. Paste the canonical form of the input (sorted-keys JSON, normalized whitespace), pick SHA-256, copy the hex.
Checking a JWT signature manually
JWT signatures are HMAC or RSA over base64url-encoded data. The hash function inside (SHA-256 for HS256/RS256, SHA-384 for HS384/RS384, etc) can be tested here against the raw concatenation header + "." + payload. Pair with the JWT Decoder to see the parts.
Things this tool deliberately doesn’t do
- No SHA-3 family (Keccak). WebCrypto omits it. Adding a polyfill bloats the bundle for a tiny audience. Use OpenSSL CLI or a dedicated SHA-3 library if you need it.
- No HMAC (yet). HMAC is hash + key; the JWT decoder handles the JWT-specific HMAC case. A future HMAC tool may land if there’s demand.
- No password-hashing KDFs (bcrypt, argon2, scrypt, PBKDF2). These are not hash functions per se — they wrap a hash with iteration + salt + memory cost. They live in a separate tool category.
- No constant-time comparison in the Verify field. This is a developer tool, not a server-side equality check. Use
crypto.subtle.timingSafeEqualserver-side if attacker-controlled.
How it compares
| bytefork.tools | xorbin.com | online-md5.com | |
|---|---|---|---|
| Runs in browser | ✓ (WebCrypto + spark-md5) | ✓ | ✓ |
| MD5 + SHA-1 + SHA-256 + SHA-384 + SHA-512 simultaneously | ✓ all 5 | partial | MD5 only |
| File mode | ✓ chunked for MD5 | ✓ | partial |
| Verify against expected hash | ✓ inline match column | ✗ | ✗ |
| Hex / Base64 / Base64url encodings | ✓ all 3 | hex only | hex only |
| Ad-free | ✓ | ✗ | ✗ |
Privacy and security
A static HTML page with a small JavaScript bundle. WebCrypto runs in your browser tab. The spark-md5 library is bundled into the page, not fetched on demand. The Network tab in DevTools confirms it — no requests fire when you paste text, pick a file, or read a digest. There is no upload, no temporary cloud storage, no analytics on input content.
Related tools
- JWT Decoder & Verifier — verify JWT signatures (HS256 = HMAC-SHA-256 under the hood).
- JSON Formatter & Error Reviewer — pretty-print canonical JSON before hashing for a deterministic cache key.
- Diff Checker — verify two files match content-byte-for-byte when their hashes differ.
Frequently asked questions
Is my data sent to a server?
No. SHA-1, SHA-256, SHA-384, and SHA-512 are computed via the browser-native WebCrypto API. MD5 is computed via the spark-md5 library bundled into the page (~10 KB). Files are read by FileReader / Blob.arrayBuffer — they never leave your device. Open DevTools → Network and you will see no outbound request with your input.
Which algorithms are supported?
MD5 (legacy, fast checksums only), SHA-1 (deprecated for security but still used by git and some legacy APIs), SHA-256 (the modern default — used by TLS, JWT, Bitcoin), SHA-384, and SHA-512. SHA-3 is not exposed by WebCrypto; if you need it, add a polyfill or use the OpenSSL CLI.
Can I hash a 1 GB file?
Yes, in theory — the limit is your browser's memory. The tool streams the file in 4 MiB chunks for the MD5 path, and feeds the whole buffer to WebCrypto for SHA paths. WebCrypto is not a streaming API; very large files may stutter while it reads. For multi-gigabyte files prefer a CLI hasher (`sha256sum`, `md5sum`, PowerShell `Get-FileHash`).
What is the difference between hex, base64, and base64url?
All three encode the same digest bytes differently. Hex is the conventional form used by `sha256sum`, git, and most CLI tools — 64 hex chars for SHA-256. Base64 is shorter (44 chars for SHA-256) and used in HTTP headers, X.509 certificates, JSON-LD. Base64url is base64 with URL-safe characters (`+` → `-`, `/` → `_`, no padding) and is what JWT signatures use.
How do I verify a download integrity hash?
Paste the file or its content, pick the algorithm the download page specified, set the encoding to match (almost always hex), and paste the published hash into the Verify field. The Match column shows ✓ or ✗ next to each row.
Why does my MD5 differ from md5sum?
Two common causes: (1) line-ending differences (Windows CRLF vs Unix LF) change the bytes hashed. Paste with the same line endings as the source. (2) trailing newline — some tools include the final newline in the file, others don't. Re-save the file with a known editor and re-hash.
Is MD5 still safe to use?
For security purposes (password hashing, digital signatures, certificate pinning) — no. Collision attacks are practical since 2008. For non-adversarial checksums (verifying a download you trust, generating a cache key, detecting accidental corruption) — yes, it is fast and still used widely. The rule: never use MD5 where an attacker can choose the input.
Are these hashes constant-time?
The algorithms themselves are. The string comparison in the Verify field is not — that comparison runs as plain JavaScript `===`, which short-circuits on the first byte difference. If you need timing-safe comparison (server-side equality check on a secret), use `crypto.subtle.timingSafeEqual` or your language's constant-time equality primitive, not this tool.
Can I share my hash session?
Yes for text mode — the share link encodes the text input, encoding choice, and expected-hash field into the URL fragment. File mode cannot be shared because files don't fit in a URL. Re-pick the file on the recipient's machine.
Is the hash generator really free?
Yes. No signup, no account, no ads, no telemetry on your input. The source is on the project repository.