A cryptographic hash function takes arbitrary input data and produces a fixed-size output string called a "hash" or "digest." The same input always produces the same hash, but even a single-character change in the input produces a completely different output, a property known as the "avalanche effect." Hash functions are one-way: you cannot reverse a hash to recover the original data. These properties make hashing fundamental to modern computing, from verifying file downloads to securing passwords and building blockchain networks.
| Algorithm | Output Size | Status | Common Use |
|---|---|---|---|
| MD5 | 128 bits (32 hex chars) | Broken for security | Checksums, deduplication |
| SHA-1 | 160 bits (40 hex chars) | Deprecated | Legacy systems, git |
| SHA-256 | 256 bits (64 hex chars) | Secure | Digital signatures, Bitcoin, TLS |
| SHA-512 | 512 bits (128 hex chars) | Secure | Password hashing, certificates |
MD5 was the standard for decades, but collision attacks (two different inputs producing the same hash) were demonstrated in 2004. It is still fine for non-security uses like checksums and cache keys, but should never be used for passwords or digital signatures. SHA-1 was deprecated in 2017 after Google demonstrated a practical collision. SHA-256 is the current standard for most security applications, including Bitcoin's proof-of-work and TLS certificate signing. SHA-512 produces a longer hash and is sometimes preferred for password hashing because it is slightly faster on 64-bit processors than SHA-256.
File integrity verification: When you download software, the publisher often provides a SHA-256 hash. You can hash the downloaded file and compare the result to verify the file was not corrupted or tampered with during transfer.
Password storage: Responsible applications never store plain-text passwords. Instead, they store the hash. When you log in, the system hashes your input and compares it to the stored hash. For passwords specifically, use purpose-built algorithms like bcrypt, scrypt, or Argon2 that add salting and intentional slowness to resist brute-force attacks.
Data deduplication: Cloud storage services and backup tools hash files to detect duplicates. If two files produce the same hash, they are almost certainly identical, and only one copy needs to be stored.
Git version control: Git identifies every commit, tree, and blob by its SHA-1 hash. This is how Git detects changes and ensures repository integrity.
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to produce a keyed hash. Unlike a plain hash, HMAC proves both the integrity of the data and the identity of the sender, because only someone with the secret key can produce the correct HMAC.
HMAC is used in API authentication (AWS Signature V4, Stripe webhook verification), secure token generation, and message integrity checks. If you are building an API that accepts webhooks, HMAC verification is the standard way to confirm that the payload was not tampered with in transit.
Drag and drop any file onto this tool to compute its hash. File hashing is commonly used to verify download integrity, compare files across systems, and detect unauthorized changes to critical files. The entire file is processed in your browser using the Web Crypto API. Nothing is uploaded, and there is no file size limit beyond your browser's available memory.
Working with encoded data? Try the Base64 Encoder. Need to generate secure passwords? The Password Generator uses cryptographic randomness. For authentication tokens, check out the JWT Decoder. For more context on building with APIs that use HMAC authentication, see 30+ Free APIs for Developers in 2026.
This tool runs 100% client-side using the Web Crypto API. No data is sent to any server. Your text and files never leave your machine. You can verify this by checking the network tab in your browser's developer tools.