SHA Hash Generator

Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or files to verify integrity or create checksums.

SHA-1160-bit ยท Collisions found, not recommended for security
SHA-256256-bit ยท Most widely used standard
SHA-384384-bit
SHA-512512-bit

โ„น๏ธ This tool generates simple, keyless hashes (digests). This is different from HMAC, which authenticates messages with a secret key. Since anyone can produce the same value with the same input, use an HMAC generator for tamper-proofing. It is also not suitable for password storage (use bcryptยทargon2).

What is the SHA Hash Generator?

Quickly and securely generate SHA hashes for text or files. This tool calculates SHA-1, SHA-256, SHA-384, and SHA-512 hashes simultaneously, which is useful for creating a digital fingerprint or verifying a file's integrity by checking its checksum. It includes a smart comparison feature: paste the expected checksum, and the tool automatically finds which of the four generated hashes it matches. All calculations happen in your browser; your text and files are never sent to a server, ensuring your data remains private.

How to use

  1. Select your input method by clicking the '๐Ÿ“ Text' or '๐Ÿ“ File' button.
  2. For text, type or paste your content into the 'Text input' box. The four SHA hashes appear as you type.
  3. For a file, drag it onto the dropzone or click to select it. The file's checksums will be calculated automatically.
  4. To verify a checksum, paste the value from the distributor into the 'Expected hash' field. A 'Match โœ“' badge will appear next to the correct hash if it's found.
  5. Click 'Copy' to get a specific hash, or toggle between 'Lowercase' and 'Uppercase' to change the output format.

SHA Hash Generator guide

How this tool is used in real work, and what to watch out for.

Hashing, Encryption, and Encoding โ€” Starting with the Differences

These three terms are often used interchangeably, but they serve completely different purposes. When you're confused, just ask two questions: "Can it be reversed?" and "Does it require a key?"

ReversibilityKeyPurposeExample
EncodingAnyone can reverseNoneChange representationBase64, URL Encoding
EncryptionReversible with a keyYesHide contentAES, RSA
HashingIrreversible (by design)NoneCreate/compare a fingerprintSHA-256
Since a hash cannot be reversed, a requirement like "store this as a hash and show the original value later" is a problem to be solved with encryption, not hashing. Conversely, if you only need to compare valuesโ€”like checking for a password match or file integrityโ€”hashing is the right tool.

Why You Shouldn't Store Passwords with SHA-256

This is where the logic "it can't be reversed, so it must be safe" breaks down. An attacker doesn't need to reverse the hash. They just need to pre-compute hashes for a massive list of common passwords (a "rainbow table") and look up your stolen hash. If you put `password1` or `qwerty123` into this tool, you can search for the resulting SHA-256 hash and find countless sites that will tell you the original password.

Speed makes the problem worse. The SHA family of algorithms was designed to be fast, and a modern GPU can compute billions of them per second. For password storage, you need the exact opposite property: you need it to be deliberately slow.

  • Salt โ€” Mix in a different random value for each user. This ensures that two users with the same password will have different hashes, rendering pre-computed tables useless.
  • Slow Functions โ€” Algorithms like bcrypt, argon2id, and scrypt are designed with an adjustable computational cost (or "work factor"). A 0.1-second delay for a single login is unnoticeable to a user, but it makes brute-force attacks prohibitively expensive.
  • Conclusion โ€” Use bcrypt or argon2id for passwords. Do not store the output of this tool in your database.
The idea "Can't I just run SHA-256 multiple times?" is also a dangerous DIY approach. It is always better to use a vetted library than to try to correctly implement iteration counts, salt handling, and protection against timing attacks yourself.

Verifying File Integrity โ€” A Practical Walkthrough

When you download open-source software or installer files, the distributor often publishes a SHA-256 checksum alongside the download. This is used to verify that the file wasn't corrupted during transfer or tampered with by a third party.

  1. Switch the input method at the top to "๐Ÿ“ File" and drag your downloaded file onto the drop zone. The file is only read within your browser and is never uploaded anywhere.
  2. Paste the checksum from the distributor's website into the "Expected hash" field.
  3. A badge will immediately show which algorithm matchesโ€”for example, "โœ“ SHA-256 Match".
  4. If you see a mismatch, try downloading the file again. If you get the same result, the distributor may have posted an old value, or the file may genuinely be different.
  • Why is there a case toggle? โ€” Distributors format hashes differently. The comparison itself ignores case, whitespace, and colons, so you can just paste whatever you're given.
  • A message like "โœ— No Match (SHA-256 length)" means the hash has the correct format for that algorithm, but its value doesn't match.
  • If you see "โœ— Not a hexadecimal hash", you likely pasted the filename or other characters along with the hash string.
If the checksum is only on the distributor's website and that site has been compromised, the checksum could have been replaced along with the file. That's why critical software is often accompanied by a GPG signature in addition to a hash. A hash reliably tells you if a file is *corrupted*; a signature is needed to tell if it's been *forged*.

What Is SHA-1 Still Good For?

There's a reason the SHA-1 field says "Collisions found, not recommended for security." In 2017, researchers demonstrated a practical attack (called SHAttered) that produced two different PDF files with the same SHA-1 hash, and the cost of such attacks has only decreased since. This means an attacker can intentionally create a file that has different content but the same hash.

For this reason, you must not use SHA-1 for any security-sensitive application where an adversary might try to fool you, such as digital signatures, certificates, or integrity verification. However, for non-adversarial use casesโ€”like generating cache keys or identifying duplicate filesโ€”it remains practical. This tool includes SHA-1 because you may still need to check a hash generated by an older system.

  • For anything new, use SHA-256. If you don't have a specific reason to choose something else, this is the one to pick.
  • SHA-384 and SHA-512 are simply longer; in practice, there are few scenarios where they are meaningfully more secure than SHA-256. On 64-bit systems, SHA-512 can sometimes even be faster.
  • MD5 is not included in this tool. The standard Web Crypto API, used by browsers, does not support it at all. It's a long-deprecated algorithm, as collisions can be generated in seconds.

What This Tool Can't Do โ€” When You Need HMAC

This tool produces a simple, keyless digest. This means anyone with the same input can calculate the same output, so it cannot be used to prove that "we sent this data." An attacker could simply modify the data, recalculate the hash, and send both along.

For use cases where there's a motive for forgeryโ€”like verifying payment callbacks, webhook signatures, or API request signaturesโ€”you should use HMAC-SHA256, which incorporates a secret key. When integration docs for a service ask you to "generate a hash," they often mean a keyed hash that includes your secret merchant key. Using a simple SHA hash will fail their verification.

Toolz has a separate HMAC Generator. If your documentation mentions a "secret key" or "secret," you should use that tool instead.

Frequently asked questions

Is my input data safe? Is it sent to a server?

Yes, it's completely safe. This tool processes all data locally in your browser. Your text and files are never uploaded or stored, so you can securely hash sensitive information.

How does the hash comparison work?

Just paste a hash into the 'Expected hash' field. The tool automatically compares it against all four generated hashes (SHA-1, SHA-256, SHA-384, SHA-512) and highlights any match.

Why isn't MD5 available?

MD5 is not supported because it has critical security vulnerabilities and is no longer recommended. This tool uses the modern Web Crypto API, which has deprecated MD5 for security reasons.

Can I use this to encrypt passwords for storage?

No, you must not. These are simple hashes, vulnerable to rainbow table attacks. For password storage, always use salted, dedicated algorithms like bcrypt, scrypt, or argon2.