Skip to content
100% in your browser. Nothing you paste is uploaded — all processing runs locally. Read more →

Hash Calculator

Type or paste text, drop in a file. Get every common hash side-by-side. Compare two hashes to verify a download or detect tampering. No upload, no signup.

MD5
SHA-1
SHA-256
SHA-384
SHA-512

What this tool does

The math

SHA-1, SHA-256, SHA-384, SHA-512 use the browser's crypto.subtle.digest (Web Crypto API) — the same implementation used by HTTPS, JWT verification, and code signing. MD5 isn't exposed by Web Crypto (deliberately, for security reasons), so we ship a self-contained ~80-line MD5 implementation based directly on RFC 1321.

Common use cases

Picking the right algorithm

Short version: SHA-256 is the right default. Use SHA-512 for slightly better security margin (and faster on 64-bit hardware in many cases). MD5 only when an existing system requires it. SHA-1 only when interoperating with legacy code (Git, old TLS).

For passwords you should not use any of these — see our guide on hash function selection for why bcrypt / argon2 are the right tools.

Related tools

What this tool does not do

FAQ

Is anything I enter sent to a server?

No. SHA-1 / SHA-256 / SHA-384 / SHA-512 use the browser's built-in crypto.subtle.digest. MD5 is computed by an inline JS implementation. Both run entirely in your browser — open DevTools → Network and confirm.

Why is MD5 marked 'legacy'?

MD5 has known collision attacks since 2004 and is not safe for any security purpose (signatures, password storage, integrity against an attacker). It's still useful for non-security cases — ETags, deduplication keys, fingerprinting unchanged file content. Use SHA-256 by default; reach for MD5 only when an existing system requires it.

What about SHA-1?

SHA-1 was broken in 2017 (the SHAttered attack produced two PDFs with the same SHA-1). Treat it like MD5 — fine for non-security, deprecated for anything cryptographic. Git still uses SHA-1 internally but is migrating to SHA-256.

What's base64url and when do I want it?

base64url replaces + with -, / with _, and strips trailing = padding. It's used in places where the hash is going into a URL or filename — JWTs, OAuth state values. Standard base64 is fine for most other uses.

How do I hash a password?

You don't — not with these. SHA-256 of a password is not secure storage because it's fast, which is exactly the property that makes it brute-forceable. For passwords use a password-specific KDF: bcrypt, argon2id, or scrypt. They're intentionally slow and have a salt parameter. See our guide on which hash function to pick.

What's the largest file I can hash?

Limited by your browser's memory — typically several hundred MB. The full file is read into memory, then hashed. For multi-GB files, use shasum / sha256sum on the command line.