ruxox
Start
Start
Crypto / Hashing

Hash Generator

Hash any string with SHA-1, SHA-256, or SHA-512 using the browser Web Crypto API. No server, no tracking. Results update as you type.

Hash Generator

Runs entirely in your browser — no server calls, no tracking.

Click Hash to generate.

🔒 Your data never leaves this tab. This tool has no backend.

About this tool

About the Hash Generator

A cryptographic hash function takes an input of any length and produces a fixed-length output (the "digest") that is deterministic — the same input always produces the same hash — and practically irreversible — you cannot reconstruct the input from the hash alone. This tool uses the browser's built-in Web Crypto API (crypto.subtle.digest) for all computation. Nothing is sent to any server.

SHA-256 vs SHA-512

SHA-256 produces a 256-bit (32-byte, 64 hex character) digest. SHA-512 produces a 512-bit (64-byte, 128 hex character) digest and is marginally more collision-resistant, though SHA-256 is already considered secure for all practical purposes. Use SHA-512 in systems where future quantum attack resistance is a consideration, or when operating under compliance standards that mandate it.

Why MD5 is excluded

MD5 is not supported by the Web Crypto API because it is cryptographically broken — MD5 collisions can be generated in seconds on consumer hardware. If you need to verify a legacy MD5 checksum, use a local tool. For any new security-relevant use (data integrity, password hashing steps, API signatures), use SHA-256 or stronger.

Note: this tool hashes strings, not files. For file hashing, use sha256sum (Linux/macOS) or Get-FileHash (PowerShell). For password hashing in applications, use a dedicated password hash function (bcrypt, Argon2, scrypt) — not raw SHA. Raw SHA hashes of passwords are fast to brute-force; bcrypt and Argon2 are deliberately slow.

FAQ

Frequently asked questions

Why should I not use SHA-256 for password hashing?
SHA-256 is designed to be fast — a modern GPU can compute billions of SHA-256 hashes per second, making brute-force attacks trivial. Password hashing functions like bcrypt, Argon2, and scrypt are deliberately slow (configurable work factor) and include salt to prevent rainbow table attacks. Always use one of these for storing user passwords, never raw SHA.
What is a hash collision?
A collision occurs when two different inputs produce the same hash output. For SHA-256, no collision has ever been found — the search space is 2²⁵⁶, which is computationally infeasible. For MD5, collisions can be generated in seconds, which is why it is broken for security use. For SHA-1, theoretical collisions have been demonstrated (SHAttered attack, 2017).
Can I use this to verify file integrity?
This tool hashes text strings. To hash a file, use your OS: sha256sum filename on Linux/macOS or Get-FileHash filename -Algorithm SHA256 in PowerShell. You can then paste the resulting hash here and compare it to the expected value to verify integrity.
What is HMAC and how does it differ from a plain hash?
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key. A plain hash verifies data integrity — it tells you the data has not changed. An HMAC also verifies authenticity — only someone with the secret key could have produced the code. Use HMAC for API request signing, webhook verification, and cookie tampering detection.
Custom software

Need secure API authentication built?

ruxox builds custom APIs with HMAC signing, rate limiting, and key management. Free estimate in 48 hours.