Create MD5, SHA-1, SHA-256, and SHA-512 hashes instantly to verify data integrity from text you paste.
sha256sum --check, Get-FileHash, your release notes, or wherever you need to compare. Use Clear to reset.A cryptographic hash is a deterministic, fixed-length fingerprint of any input. Hashes are one-way (you cannot reverse the digest back to the data), avalanche (a one-bit change flips roughly half the output bits), and collision-resistant for secure algorithms (it is computationally infeasible to find two inputs that produce the same digest). That combination underpins most of modern data integrity, authentication, and content addressing.
git diff, git fsck, and content-addressable backups like restic and BorgBackup all rely on hashes to spot what actually changed.app.3a7b2c.js so browsers re-fetch only files whose bytes changed, while everything else stays cached.Subresource Integrity (<script integrity="sha384-...">) all use hashes so the same input always produces the same identifier.| Property | MD5 | SHA-1 | SHA-256 | SHA-512 | SHA-3 (Keccak) | BLAKE3 |
|---|---|---|---|---|---|---|
| Digest length | 128 bit / 32 hex | 160 bit / 40 hex | 256 bit / 64 hex | 512 bit / 128 hex | 224-512 bit | 256 bit default (XOF: any length) |
| Year published | 1992 (RFC 1321) | 1995 (FIPS 180-1) | 2001 (FIPS 180-2) | 2001 (FIPS 180-2) | 2015 (FIPS 202) | January 2020 |
| Standard / spec | RFC 1321 | FIPS 180-4 (deprecated) | FIPS 180-4 | FIPS 180-4 | FIPS 202 | IETF draft, not NIST |
| Collision status | Broken — practical collision Wang et al., 2004 | Broken — SHAttered, Google + CWI, Feb 2017 | No practical collision | No practical collision | No practical collision | No practical collision |
| Speed (relative) | Very fast (legacy) | Very fast | Fast (hw-accelerated on most CPUs) | Often faster than SHA-256 on 64-bit CPUs | Slower in software than SHA-2 | Fastest — parallel Merkle tree, ~5-10x SHA-256 on multi-core |
| NIST approved | No | Phasing out by Dec 31, 2030 | Yes | Yes | Yes | No (not in FIPS) |
| Typical use today | Non-security checksums, cache keys | Legacy systems, Git object IDs | Default for TLS, signatures, blockchain, file checksums | Long-term archival signatures, 64-bit servers | Alternative to SHA-2 where Keccak is required | High-throughput pipelines, content-addressed storage, video encoders |
| Use case | Recommended algorithm | Why |
|---|---|---|
| Verify a downloaded ISO / installer | SHA-256 | Industry default; publishers ship a .sha256 file beside the download |
| Maximum throughput on large files | BLAKE3 | Parallel tree structure saturates modern multi-core CPUs |
| TLS / X.509 certificates, code signing | SHA-256 or SHA-384 | Required by current CA/Browser Forum baseline requirements |
| Git object IDs (legacy repos) | SHA-1 | Compatibility only; new tooling supports SHA-256 |
| Non-security file dedup, cache keys | MD5 is fine | Collisions don't matter when there's no adversary |
| Password storage | NEVER MD5/SHA-1/SHA-2/SHA-3 — use Argon2id, scrypt, or bcrypt | Plain hashes are too fast; GPU brute-force is trivial. Use a memory-hard KDF with a per-user salt. |
| Message authentication | HMAC-SHA-256 (not a bare hash) | Bare hashes are vulnerable to length-extension on SHA-1/SHA-2 |
None of the algorithms on this page. MD5, SHA-1, and the SHA-2/SHA-3 families are all designed to be fast — a modern GPU can compute billions of SHA-256 hashes per second, which makes them trivially crackable against any leaked database. For passwords, use a memory-hard password-hashing function: Argon2id (OWASP 2024 preferred profile: m=46 MiB (46080), t=1, p=1; minimum: m=19 MiB (19456), t=2, p=1), scrypt, or bcrypt with a work factor of 10 or higher. Each password also needs a unique random salt. Generate strong inputs with our password generator.
SHA-256 is the standard choice and what almost every Linux distro, GitHub release, and Docker registry publishes. It's hardware-accelerated on most x86-64 and ARM64 CPUs via SHA-NI / ARMv8 cryptographic extensions. If you control both ends of the pipeline and care about raw throughput on large files, BLAKE3 is roughly 5-10x faster on multi-core CPUs because its internal Merkle-tree structure parallelizes naturally — but it isn't FIPS-approved, so it's a poor fit for regulated environments.
Yes, but only outside security. MD5 is fine for cache keys, deterministic IDs, ETag-style change detection, and file deduplication where no attacker is trying to forge a collision. The 2004 attack by Wang et al. and subsequent chosen-prefix work mean MD5 should never be used for digital signatures, TLS certificates, password storage, malware detection, or anywhere an adversary could craft two inputs with the same hash. Treat it like CRC32 with a longer output — a fingerprint, not a security primitive.
A collision is two different inputs that produce the same hash. Because hashes map an infinite input space to a fixed output, collisions must mathematically exist; the question is whether anyone can find them efficiently. Wang et al. demonstrated practical MD5 collisions in 2004 (within an hour on a cluster of the day; now seconds on a laptop). Google and CWI Amsterdam announced the first SHA-1 collision in February 2017 (the SHAttered attack), publishing two PDFs with identical SHA-1 digests after about 6,500 CPU-years of computation. SHA-256, SHA-512, SHA-3, and BLAKE3 have no known practical collisions.
SHA-2 (which includes SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256) is defined in FIPS PUB 180-4, published by NIST. SHA-3, based on the Keccak sponge construction, is defined in FIPS PUB 202 and includes SHA3-224, SHA3-256, SHA3-384, SHA3-512, plus the SHAKE128 and SHAKE256 extendable-output functions. Both are free, open standards. NIST formally announced the SHA-1 retirement plan in December 2022, with all federal use to be phased out by December 31, 2030, when FIPS 180-5 is expected to remove SHA-1 entirely.
A salt is a random per-user value mixed into the password before hashing. Without one, two users with the same password produce identical hashes, which leaks information and lets attackers precompute giant rainbow tables that crack millions of accounts at once. With a unique salt (typically 16 bytes from a CSPRNG), the same password yields a different hash for every user, and an attacker has to brute-force each account individually. The salt is stored alongside the hash — it doesn't need to be secret, only unpredictable and unique.
It depends heavily on the input size and the hardware. On a single core, BLAKE3 is comparable to or slightly faster than SHA-256 with SHA-NI hardware acceleration. On long inputs (megabytes and up) with multiple cores or wide SIMD lanes (AVX-512), BLAKE3 scales nearly linearly because its internal binary Merkle tree parallelizes — the BLAKE3 team reports roughly 0.49 cycles per byte on Cascade Lake-SP with AVX-512, several times faster than SHA-256 on the same hardware. For short inputs (under a few kilobytes), the difference is small; the wins come on large files and high-throughput streaming.
No. Hashing is one-way and produces a fixed-length digest — there is no key, and you cannot recover the input from the hash. Encryption is two-way: a key transforms plaintext into ciphertext, and the same key (symmetric) or matching key (asymmetric) recovers the plaintext. Hashes prove integrity ("this file hasn't changed"); encryption provides confidentiality ("only the recipient can read this"). The two are often combined — for example, a signed JWT contains an encoded payload plus a SHA-256-based signature; you can inspect the payload with our JWT decoder. For converting digests between bases (hex to binary or decimal), use the number base converter.
No. All hashing runs in your browser via the Web Crypto API (crypto.subtle.digest) and pure-JavaScript implementations for algorithms the browser doesn't natively expose. Your text, file contents, and resulting digests never leave your machine — useful when hashing secrets, internal documents, or anything you wouldn't want logged on a remote server.