SHA Hash Generator
Compute SHA-1, SHA-256, SHA-384, and SHA-512 hex digests of any text at once, using the browser's built-in Web Crypto. Live as you type, completely free, and entirely in your browser.
SHA-1
Digest appears here as you type.
SHA-256
Digest appears here as you type.
SHA-384
Digest appears here as you type.
SHA-512
Digest appears here as you type.
What this tool does, and the security caveats
A cryptographic hash is a one-way function that turns any input into a fixed-length fingerprint. The same input always produces the same digest, but you cannot run the function backwards to recover the input. That property makes hashes the standard tool for integrity checks — proving a file, message, or payload arrived exactly as it left.
This tool computes all four digests at once with the browser's native crypto.subtle.digest. Your text is encoded to UTF-8 bytes with TextEncoder and hashed on your own CPU — no library is loaded and no request is made. Because the plaintext never leaves your device, you can hash a secret you are verifying without exposing it to a remote service. Note that Web Crypto requires a secure context (HTTPS or localhost), which this site provides.
A few caveats worth internalizing. There is no MD5 here because SubtleCrypto refuses to implement it — MD5 is broken and unsafe. SHA-1 is included for legacy verification but is also weak against collisions; reach for SHA-256 or stronger on anything new. And a plain SHA digest is the wrong way to store passwords: a fast hash is trivially brute-forced, so use a deliberately slow, salted algorithm like bcrypt, scrypt, or Argon2. Getting these choices right is exactly the kind of detail we audit in a penetration test.
Finally, remember that hashing is byte-exact. A trailing space, a CRLF instead of an LF, or a stray byte-order mark changes the digest entirely. If two systems disagree on a hash, the cause is almost always invisible whitespace or an encoding mismatch — not the algorithm.
How to use it
Type or paste your text into the input box. All four digests recompute live as you type, each shown with its bit length. Use a copy button to grab any single digest. The character and byte counts help you spot trailing whitespace when a digest does not match what you expected. Nothing is stored, so a refresh clears everything.
FAQs
Is my input sent to a server?
No. Every digest is computed in your browser with the native Web Crypto API (crypto.subtle.digest). Your text is encoded to UTF-8 bytes locally and hashed on your own CPU — nothing is uploaded, logged, or stored. You can verify this in your browser's network tab: hashing produces zero network requests. That makes it safe to hash secrets, file contents, or tokens you are checking, because the plaintext never leaves your machine.
Why is there no MD5 option?
The browser's SubtleCrypto API deliberately does not implement MD5, because MD5 is cryptographically broken — practical collisions have existed for years, so it is unsafe for signatures, integrity checks, or anything security-sensitive. This tool only offers the algorithms the platform actually provides: SHA-1, SHA-256, SHA-384, and SHA-512. Note that SHA-1 is also considered weak for collision resistance and should be treated as legacy; prefer SHA-256 or stronger for new work.
What is a hash, and what should I not use it for?
A cryptographic hash is a one-way function: it turns any input into a fixed-length fingerprint, and the same input always yields the same digest, but you cannot reverse it back to the input. Hashes are excellent for verifying integrity — confirming a download or message was not altered. They are not encryption, so never use a hash to hide data you need to recover. And critically, a plain SHA digest is the wrong tool for storing passwords: use a slow, salted password hash such as bcrypt, scrypt, or Argon2 instead, which are designed to resist brute-force attacks.
Do whitespace and encoding affect the result?
Absolutely — hashing is exact. A single trailing space, a different line ending (CRLF versus LF), or a stray byte order mark will produce a completely different digest. This tool hashes the precise UTF-8 byte sequence of whatever you type, so if your digest does not match an expected value, the usual culprit is invisible whitespace or a character-encoding mismatch between the two sides.
How long is each digest?
The hex length reflects the bit size: SHA-1 is 160 bits (40 hex characters), SHA-256 is 256 bits (64 hex characters), SHA-384 is 384 bits (96 hex characters), and SHA-512 is 512 bits (128 hex characters). A longer digest offers a larger output space and stronger collision resistance, at a small cost in size. For most integrity and fingerprinting needs SHA-256 is the sensible default.
Related tools
Related security reading
All postsAPI Security Best Practices (2026)
Auth, rate limiting, input validation, secrets, and the OWASP API Top 10.
Read postBest Penetration Testing Companies in Georgia (2026)
Georgia-based pentest providers, what they actually deliver, and how to choose.
Read postBuilding a Vulnerability Management Program (2026)
Scan cadence, CVSS triage, remediation SLAs, and reporting that makes a scanner defensible.
Read post
Unsure if your crypto choices hold up?
Weak password hashing, misused algorithms, and integrity gaps are some of the most common findings in a security review. We assess how your application handles hashing, secrets, and data integrity — and fix what we find. Talk to us about a penetration test or secure-build engagement.
Or reach us directly: beltz@quantlabusa.dev