What a cryptographic hash is
A hash function takes input of any length and boils it down to a fixed-size fingerprint written in hexadecimal. Three properties make it useful: it is one-way (nothing turns the hash back into the original text), it has a fixed size (a word and a 4 GB disk image produce equally long output), and it shows the avalanche effect — flip one character and the whole hash changes.
This tool computes the four algorithms developers look up most — MD5, SHA-1, SHA-256 and SHA-512 — live as you type, entirely in your browser. Input is encoded as UTF-8 first, so accented characters and emoji match what md5sum, Python’s hashlib or any other standard tool produces.
How to use it
- Type or paste your text into the input box.
- All four hashes update on every keystroke — there is no generate button.
- Hit Copy on the row you need.
- To verify a download, compare the copied value against the vendor’s published checksum: one different character means a different file.
- Clear wipes the input so you can start over.
Where each algorithm stands in 2026
| Algorithm | Bits | Hex length | Status | Typical job today |
|---|---|---|---|---|
| MD5 | 128 | 32 | broken since 2004 | quick checksums, duplicate detection, legacy systems |
| SHA-1 | 160 | 40 | broken since 2017 | Git internals, backwards compatibility |
| SHA-256 | 256 | 64 | secure | TLS certificates, code signing, blockchains — the default |
| SHA-512 | 512 | 128 | secure | extra margin; often faster on 64-bit CPUs |
Rule of thumb: MD5 and SHA-1 only guard against accidents, never against attackers. Anything security-related built today should start at SHA-256.
Worked example
Type the classic pangram The quick brown fox jumps over the lazy dog and you get the textbook test vectors:
- MD5:
9e107d9d372bb6826bd81d3542a419d6 - SHA-1:
2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - SHA-256:
d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592
Now change just the last word to cog: the MD5 becomes 1055d3e698d289f2af8663725127bd4b. A three-letter edit rewrote the whole fingerprint — the avalanche effect doing its job. Also worth memorizing: d41d8cd98f00b204e9800998ecf8427e, the MD5 of an empty string — in a log it usually means something was hashed empty by mistake.
Never store passwords with these
All four algorithms are engineered for speed, which is fatal for passwords: one modern GPU tries billions of MD5 candidates per second, so leaked fast-hash passwords fall in minutes. Password storage calls for deliberately slow, salted functions such as bcrypt or Argon2, winner of the Password Hashing Competition. Use this page for checksums, integrity checks and learning — never for credentials.
Frequently asked questions
Can a hash be reversed?
No — the function throws information away, and infinitely many inputs map to every output. What attackers use instead are rainbow tables: massive precomputed dictionaries of hashes for common passwords. That is why real systems add a salt, a random per-user value mixed into the input: identical passwords then produce different hashes and the precomputed table becomes worthless.
Is MD5 still good for anything?
Yes, as a fast fingerprint when no adversary is involved: spotting duplicate files, confirming a download arrived intact, building cache keys or ETags. What it can no longer do is prove authenticity, because attackers can deliberately craft two different files sharing one MD5.
What is the difference between hashing and encryption?
Encryption is reversible by design — with the right key you get the original message back. A hash has no key and no way back; it identifies data rather than hiding it. Sites that claim to “decrypt MD5” are really just looking your hash up in a table of already-known values.
What is a collision?
Two different inputs producing the same hash. Finding one should be computationally infeasible — but Wang Xiaoyun’s team demonstrated practical MD5 collisions in 2004, and in 2017 the SHAttered attack by Google and CWI did the same to SHA-1. Both have been considered broken for signatures and certificates ever since; SHA-256 has no known collision.