Computer Science

Hash Generator | SHA-256, SHA-512, SHA-1 & HMAC Online Tool

Generate cryptographic hashes from text input or file upload using SHA-256, SHA-512, SHA-384, and SHA-1 algorithms via the browser's native Web Crypto API. Supports HMAC-SHA256 with a secret key, hex or Base64 output, and side-by-side hash comparison to verify file integrity.

Instant Results100% FreeAny DeviceNo Sign-up

Text to Hash

HMAC-SHA256 Signing

Secret Key

Hash Comparison

What Is the Hash Generator | SHA-256, SHA-512, SHA-1 & HMAC Online Tool?

A cryptographic hash function takes an input of any length and produces a fixed-length digest. The output is deterministic (same input always produces same output), irreversible (you cannot reconstruct the input from the hash), and collision-resistant (it is computationally infeasible to find two different inputs that produce the same hash). These properties make hashes the foundation of file integrity verification, digital signatures, password storage, and blockchain systems.

›SHA-256 is the current industry standard. Approved by NIST (FIPS 180-4), used in TLS 1.3, code signing, and Git's object model. A single changed character in the input produces a completely different hash — this is the avalanche effect.
›SHA-1 is deprecated for security use. Google's SHAttered attack in 2017 demonstrated a practical collision for SHA-1. It remains useful for checksums where collision resistance is not critical (legacy systems, non-security integrity checks), but should not be used for signatures or certificates.
›HMAC adds a secret key. A bare hash verifies content integrity but not origin — anyone can compute the hash of a message. HMAC uses a shared secret key to create a signature that proves the message came from someone with that key.
›Base64 output is more compact. A SHA-256 hash is 32 bytes. As hex, that is 64 characters. As Base64, it is 44 characters (43 + 1 padding). APIs, JWTs, and headers frequently use Base64-encoded hashes.

Formula

SHA-256 (256-bit output)

H(message) → 64 hex characters (32 bytes)

Most widely deployed hash; used in TLS certificates, Git commits, Bitcoin

SHA-512 (512-bit output)

H(message) → 128 hex characters (64 bytes)

Higher security margin; preferred when storage/bandwidth is not a constraint

HMAC-SHA256 (Message Authentication Code)

HMAC(key, message) = H((key ⊕ opad) ∥ H((key ⊕ ipad) ∥ message))

Combines hash with a secret key to verify both integrity and authenticity

All hashing runs locally in your browser via Web Crypto API

No data is transmitted to any server. Files never leave your device.

How to Use

1
Choose text input or file upload mode.
2
Type or paste text, or drag a file into the upload zone.
3
Select hex or Base64 output format.
4
SHA-256, SHA-512, SHA-384, and SHA-1 results appear instantly.
5
Optionally enter a secret key to generate an HMAC-SHA256 signature.
6
Paste an expected hash in the comparison field to verify file integrity.

1
Choose input mode: Text mode for strings, passwords, or any plain text. File mode for computing the hash of a file (document, executable, archive) to verify its integrity.
2
Enter text or upload file: In text mode, type or paste directly. In file mode, select a file — it is processed entirely in your browser; nothing is uploaded.
3
Select output format: Hex produces lowercase hexadecimal (most common). Base64 produces the compact URL-safe encoding used in APIs and JWTs.
4
Read hash results: All four algorithms compute simultaneously. Copy any hash with the copy button. The bit length is shown next to each algorithm name.
5
Use HMAC for signed messages: Enter a secret key in the HMAC field to generate an HMAC-SHA256 signature. The key can be any string — in production, use a randomly generated 256-bit key.
6
Verify file integrity: Paste an expected hash in the comparison field. A green match or red mismatch tells you if the file is authentic.

Example Calculation

Example: hashing the string “hello world”

Input: "hello world" (11 bytes)

SHA-256: b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576...

...actually: b94d27b9934d3e08a52e52d7da7dabfa (first 32 chars)

SHA-512: 309ecc489c12d6eb4cc40f50c902f2b4...

Changing one character ("hello World") completely changes the hash:

SHA-256: 64ec88ca00b268e5ba1a35678a1b5316...

Avalanche effect: single-bit change = entirely different hash

Understanding Hash Generator | SHA-256, SHA-512, SHA-1 & HMAC Online Tool

When to Use Which Algorithm

›SHA-256: default choice for everything. NIST-approved, battle-tested since 2001, hardware-accelerated on all modern CPUs, and universally supported. Use it for file integrity, API authentication, code signing, and data deduplication.
›SHA-512: when output length matters. SHA-512 produces a 64-byte digest — double SHA-256. On 64-bit systems, SHA-512 can actually be faster than SHA-256 due to internal 64-bit word operations. Prefer SHA-512 for long-term archival signatures where a higher security margin is worth the larger output.
›SHA-384: the compromise. A truncated variant of SHA-512 that produces 48-byte output. Specified in TLS cipher suites that need more than 256 bits but not the full 512. Rarely needed outside of protocol-specific requirements.
›SHA-1: legacy only. Still found in older software update checksums, some internal tools, and non-security integrity checks. Do not use for anything where collision resistance matters. Two documents can theoretically share the same SHA-1 hash.
›HMAC-SHA256: when you need authentication, not just integrity. A file hash proves a file has not changed, but not who produced it. HMAC with a shared secret proves the hash was computed by someone with the key. Used extensively in API authentication (AWS Signature V4, OAuth, webhook verification).

File Integrity Verification Workflow

Software publishers routinely post SHA-256 checksums alongside download files. After downloading, drag the file into this tool and compare the computed SHA-256 hash against the published checksum. An exact match confirms the file arrived intact and was not tampered with in transit. A mismatch — even a single character difference — indicates corruption or a potentially substituted file.

Frequently Asked Questions

Is it safe to hash sensitive data in this tool?

All hashing runs locally using the browser's built-in Web Crypto API. No network requests are made — verifiable with browser dev tools. Sensitive data never leaves your device.

Can I use SHA-256 to store passwords?

Never use SHA-256 for password storage. Use bcrypt, scrypt, or Argon2 — which are intentionally slow and include salts. SHA-256 hashes passwords in microseconds, making brute-force trivial.

What is the difference between SHA-256 and SHA-3?

SHA-256 (SHA-2 family) and SHA-3 are both NIST-approved and unbroken. SHA-256 has wider hardware acceleration and ecosystem support.

SHA-3 uses a different construction as a security hedge. Both are appropriate for new systems.

How large a file can I hash in this tool?

Files up to ~100MB hash reliably in most browsers. For larger files, use the command line: sha256sum (Linux/Mac) or Get-FileHash (PowerShell). Processing is always local — no upload occurs.

Related Calculators

Base64 Encoder & Decoder

Encode text and files to Base64, decode Base64 strings, generate data URIs, and more. Supports URL-safe Base64, MIME line-wrap, and live processing.

UUID Generator | UUID v4

Generate UUID v4 universally unique identifiers instantly. Generate single or bulk UUIDs.

Random Password Generator

Generate strong, secure random passwords with custom length and character sets.

ASCII & Unicode Value Calculator

Convert any character to ASCII decimal, hex, octal, binary, and UTF-8 bytes, or decode character codes back to text. Full ASCII table included.

Color Contrast Checker | WCAG AA & AAA Accessibility

Check color contrast ratios against WCAG 2.1 AA and AAA standards for normal and large text. Enter hex, RGB, or HSL colors; get relative luminance values; preview text on background; and get automatic suggestions to fix failing contrast.