Hash Calculator
Type or paste text, drop in a file. Get every common hash side-by-side. Compare two hashes to verify a download or detect tampering. No upload, no signup.
What this tool does
- All five common algorithms at once — MD5, SHA-1, SHA-256, SHA-384, SHA-512. The "currently-selected" row is highlighted; the others are still computed for comparison.
- Text or file — type/paste, or pick a file. Files are read into memory and hashed; nothing leaves your browser.
- Output formats — hex (default), base64, base64url. Switch any time.
- Compare — paste an expected hash to instantly verify whether your input produces it (and via which algorithm).
The math
SHA-1, SHA-256, SHA-384, SHA-512 use the browser's
crypto.subtle.digest (Web Crypto API) — the same
implementation used by HTTPS, JWT verification, and code signing.
MD5 isn't exposed by Web Crypto (deliberately, for security
reasons), so we ship a self-contained ~80-line MD5 implementation
based directly on RFC 1321.
Common use cases
- Verify a download — paste the official SHA-256 from the publisher, drop in your downloaded file, see "✓ Match."
- Detect file changes — hash before and after; identical hash = identical bytes.
- Generate ETags — MD5 or SHA-256 of file content as a cache key.
- Verify a signed payload — hash the body, compare to what the signature decoded.
- Anonymise an identifier — hash an email or user ID before logging it.
Picking the right algorithm
Short version: SHA-256 is the right default. Use SHA-512 for slightly better security margin (and faster on 64-bit hardware in many cases). MD5 only when an existing system requires it. SHA-1 only when interoperating with legacy code (Git, old TLS).
For passwords you should not use any of these — see our guide on hash function selection for why bcrypt / argon2 are the right tools.
Related tools
- Base64 encoder/decoder — for raw byte handling.
- JWT decoder — for tokens which use HMAC-SHA hashing internally.
- UUID generator — including UUID v3/v5 which are MD5- and SHA-1-derived.
What this tool does not do
- HMAC — for message authentication you need HMAC-SHA256 (key + message). For JWT verification, use jwt.tooljo.com/verify.
- Password hashing — use bcrypt / argon2id; not these algorithms.
- BLAKE3 — not yet, but it's on the list. SHA-256 covers virtually all current use cases.
FAQ
Is anything I enter sent to a server?
No. SHA-1 / SHA-256 / SHA-384 / SHA-512 use the browser's built-in crypto.subtle.digest. MD5 is computed by an inline JS implementation. Both run entirely in your browser — open DevTools → Network and confirm.
Why is MD5 marked 'legacy'?
MD5 has known collision attacks since 2004 and is not safe for any security purpose (signatures, password storage, integrity against an attacker). It's still useful for non-security cases — ETags, deduplication keys, fingerprinting unchanged file content. Use SHA-256 by default; reach for MD5 only when an existing system requires it.
What about SHA-1?
SHA-1 was broken in 2017 (the SHAttered attack produced two PDFs with the same SHA-1). Treat it like MD5 — fine for non-security, deprecated for anything cryptographic. Git still uses SHA-1 internally but is migrating to SHA-256.
What's base64url and when do I want it?
base64url replaces + with -, / with _, and strips trailing = padding. It's used in places where the hash is going into a URL or filename — JWTs, OAuth state values. Standard base64 is fine for most other uses.
How do I hash a password?
You don't — not with these. SHA-256 of a password is not secure storage because it's fast, which is exactly the property that makes it brute-forceable. For passwords use a password-specific KDF: bcrypt, argon2id, or scrypt. They're intentionally slow and have a salt parameter. See our guide on which hash function to pick.
What's the largest file I can hash?
Limited by your browser's memory — typically several hundred MB. The full file is read into memory, then hashed. For multi-GB files, use shasum / sha256sum on the command line.