⚡ QuickTools
🔒

Hash Generator

Developer

Generate MD5, SHA-1, SHA-224, SHA-256, SHA-384 & SHA-512 hashes from any text. Supports hex, Base64, and Base64URL output, plus HMAC signing. Free and instant.

Input Text

Output Encoding

HMAC Mode

Add a secret key to generate a keyed-hash message authentication code

Results

🔒

Enter text and click
Generate Hashes

Explore This Tool in Context

Hash Generator is part of the Developer collection. If you want a broader view of similar workflows, open the Developer category page or browse all QuickTools categories.

Common next steps after this tool include JSON Formatter, QR Code Generator and Base64 Encoder / Decoder.

What Is a Hash Generator?

A cryptographic hash function takes any input — a single character, a password, or an entire document — and produces a fixed-length fingerprint called a digest. The same input always produces the same digest, but even a one-character change produces a completely different output. This property is called the avalanche effect.

Hash functions are one-way by design: you cannot reverse a hash back to the original input (without brute-force). That makes them essential in cybersecurity, data integrity verification, digital signatures, password storage, and software checksums. This tool computes all six major hash algorithms simultaneously — MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 — and supports three output formats: Hex, Base64, and Base64URL.

The optional HMAC mode (Hash-based Message Authentication Code) adds a secret key to the hash computation, producing a keyed digest that proves both the data integrity and the authenticity of whoever generated it — essential for API request signing, webhook verification, and JWT implementations.

How to Use the Hash Generator

  1. Enter your text — Type or paste any input into the text box. You can also press Ctrl+Enter (Cmd+Enter on Mac) to generate instantly.
  2. Choose output encoding — Select Hex (default, lowercase hexadecimal), Base64 (compact with +/= padding), or Base64URL (URL-safe, no +/= characters — used in JWTs and web tokens).
  3. Toggle HMAC mode (optional) — Enable the HMAC toggle and enter a secret key to generate keyed message authentication codes for all six algorithms simultaneously.
  4. Click Generate Hashes — All six hashes appear instantly in the results panel. Each has an individual copy button.
  5. Copy or download — Click Copy All to get all hashes in a labelled list, or Download .txt to save them to a file.

Hash Algorithm Comparison

AlgorithmOutput SizeSecurity StatusCommon Uses
MD5128-bit / 32 hexBrokenNon-security checksums, legacy file verification
SHA-1160-bit / 40 hexDeprecatedLegacy TLS, old Git commits, compatibility testing
SHA-224224-bit / 56 hexSecureTruncated SHA-256 for constrained environments
SHA-256256-bit / 64 hexRecommendedTLS certificates, JWT, file integrity, Bitcoin
SHA-384384-bit / 96 hexSecureHigh-security certificates, banking, government
SHA-512512-bit / 128 hexSecureMaximum strength hashing, password KDFs, archival

Real-World Hash Examples

File integrity check

SHA-256
sha256sum myfile.zip
# a591a6d40bf420404...

Git commit SHA

SHA-1
git log --format="%H"
# 4b825dc642cb6eb9a...

API webhook verification

HMAC
HMAC-SHA256(secret, payload)
# Compare to X-Hub-Signature-256

Password hashing input

SHA-256
bcrypt(sha256(password), salt)
# Pre-hash before bcrypt

JWT signature

HMAC
HMAC-SHA256(base64Header + "." + base64Payload, secret)

Software download checksum

MD5
MD5: d41d8cd98f00b204e9800998ecf8427e
# Compare with published hash

How Cryptographic Hashing Works

All SHA-2 family algorithms (SHA-224, 256, 384, 512) follow the same high-level structure — the Merkle–Damgård construction:

  1. Padding — the input message is padded to a multiple of 512 bits (SHA-256/224) or 1024 bits (SHA-384/512), and the original message length is appended as a 64-bit or 128-bit integer.
  2. Block splitting — the padded message is divided into fixed-size blocks (512 or 1024 bits).
  3. Compression rounds — each block is processed through 64 or 80 rounds of bitwise operations (AND, OR, XOR, rotate, shift) mixed with round constants derived from cube roots of prime numbers.
  4. Chaining — the output of each block compression is fed into the next block’s compression, creating a chain. The final block’s output is the hash digest.

HMAC wraps the hash function: HMAC(K, m) = H((K ⊕ opad) ‖ H((K ⊕ ipad) ‖ m)). The key is XOR’d with inner and outer padding, ensuring the MAC is bound to the secret key even if the hash itself is public.

Frequently Asked Questions

Which hash algorithm should I use?

For modern applications, use SHA-256 (general) or SHA-512 (high-security). SHA-256 is the NIST-recommended standard used in TLS certificates, Bitcoin, and most authentication systems. Never use MD5 or SHA-1 for any new security-critical purpose — both have known collision attacks. For password storage, do not use raw SHA-256 — use a proper KDF like bcrypt, Argon2, or scrypt instead.

What is HMAC and when should I use it?

HMAC (Hash-based Message Authentication Code) is a keyed hash — it combines a secret key with the message before hashing. Use HMAC when you need to prove both that data has not been tampered with AND that it came from someone who knows the secret key. Common use cases: webhook signature verification (GitHub, Stripe), JWT signing (HS256 = HMAC-SHA256), API authentication headers.

Can I reverse a SHA-256 hash back to the original text?

No. SHA-256 is a one-way function — it is computationally infeasible to derive the original input from a hash (preimage resistance). For short or common inputs (dictionary words, simple passwords), attackers can use rainbow tables or brute-force lookups. This is why passwords must be hashed with a slow KDF (bcrypt, Argon2) and salt rather than raw SHA-256.

What is the difference between Hex and Base64 output?

Both represent the same hash bits in different textual formats. Hex uses 0–9 and a–f — a SHA-256 hash is always 64 hex characters. Base64 uses A–Z, a–z, 0–9, +, / and = padding — the same SHA-256 hash is 44 Base64 characters (more compact). Base64URL replaces + with - and / with _ and omits = padding, making it safe in URLs and JSON Web Tokens.

Why do MD5 and SHA-1 still appear in software?

Legacy compatibility. Millions of existing systems, protocols, and file formats were built assuming MD5 or SHA-1. Git uses SHA-1 for its internal object model (migrating to SHA-256 gradually). Many checksum tools use MD5 purely for accidental-error detection (not security). For new systems, always choose SHA-256 or higher.

Is it safe to hash passwords with SHA-256?

No. SHA-256 is designed to be fast, which is exactly what you don’t want for password storage. An attacker with a GPU can compute billions of SHA-256 hashes per second. Always use a dedicated password hashing function: bcrypt (2^cost iterations), Argon2id (OWASP recommended), or scrypt. These functions are intentionally slow and can be tuned as hardware speeds up.

Related Tools

UUID GeneratorGenerate UUID v1, v4, v5, and Nil identifiers in bulk.Base64 Encoder / DecoderEncode or decode text and files using Base64.QR Code GeneratorTurn URLs, Wi-Fi credentials, and vCards into QR codes.JSON FormatterFormat, validate, and minify JSON data instantly.URL Encoder / DecoderEncode or decode URL components and query strings.Lorem Ipsum GeneratorGenerate placeholder text for mockups and prototypes.

More in Developer

View category hub →

Popular Tools

Browse all popular tools →