A cryptographic hash function takes any input — text, file bytes, whatever — and produces a fixed-length “fingerprint” that changes dramatically if the input changes by even a single bit. The same input always produces the same output, so hashes are used to verify integrity (did this file change?) and to check equality without revealing the original (does the password you entered match the stored hash?).
This tool computes four SHA family hashes in parallel: SHA-1, SHA-256, SHA-384, and SHA-512. All four run on every keystroke via the browser’s Web Crypto API, so you see the result instantly.
Output lengths
| Algorithm | Output | Output hex length |
|---|---|---|
| SHA-1 | 160 bits | 40 characters |
| SHA-256 | 256 bits | 64 characters |
| SHA-384 | 384 bits | 96 characters |
| SHA-512 | 512 bits | 128 characters |
Example: hashing “The quick brown fox jumps over the lazy dog”
The classic pangram has these hashes:
- SHA-1:
2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - SHA-256:
d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592
Add a single period at the end:
- SHA-1:
408d94384216f890ff7a0c3528e8bed1e0b01621 - SHA-256:
ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
Every bit of the output changes. This is called the avalanche effect and it’s what makes hash functions useful for detecting tampering — you cannot make a tiny change to a file and get the same hash.
When to use which algorithm
- SHA-256: the standard choice for everything. File integrity, API request signing, commit hashes, Merkle trees. If you don’t have a specific reason to use something else, use SHA-256.
- SHA-1: only use when a legacy system requires it (Git uses SHA-1 for object IDs, some older APIs still specify it). Do not use for any new security-sensitive work.
- SHA-512: when you want extra collision resistance or need more output bits for key derivation. SHA-512 is also faster than SHA-256 on 64-bit hardware because it’s natively 64-bit internally.
- SHA-384: a truncated version of SHA-512. Used in some TLS cipher suites and NIST key sizes. Rare in general-purpose work.
What this tool does not do
- No MD5. See the FAQ above. Use another tool if you need it, but think carefully about whether you really need it.
- No HMAC. Plain hashes are not safe for authenticating messages with a secret key — use the HMAC calculator for that.
- No password hashing. For storing passwords, use bcrypt, scrypt, or Argon2 — all of which are deliberately slow. SHA-256 is too fast for password storage; the bcrypt playground is the correct tool for that use case.
- No file hashing. This tool hashes text you paste or type. For hashing files, you’d need a file-upload tool, which is planned but not here yet. For non-cryptographic integrity checks (ZIP CRCs, serial-line checksums), the checksum calculator is the lower-overhead option.