Hash Generator

Generate cryptographic hashes including SHA-1, SHA-256, SHA-384, and SHA-512 from text input.

Input Text

Input Stats

Characters

13

Bytes (UTF-8)

13

Generated Hashes

Click "Generate Hashes" to create hashes

Hash Comparison

SHA-1: 160 bits - Legacy, not recommended for security

SHA-256: 256 bits - Good for most applications

SHA-384: 384 bits - Higher security

SHA-512: 512 bits - Maximum security

Note: These hashes are generated client-side using the Web Crypto API. Your input is never sent to any server.

What Is a Hash Generator and How Does It Work?

A hash generator is a tool that takes any piece of text as input and produces a fixed-length string of hexadecimal characters — called a hash, digest, or fingerprint — using a deterministic mathematical algorithm. No matter how long or short your input is, the output is always the same length for a given algorithm. Even a tiny change to the input — swapping a single character, adjusting capitalization, or adding a space — produces an entirely different hash value. This property, known as the avalanche effect, is what makes cryptographic hash functions so useful for detecting alterations and verifying data integrity.

This hash generator uses the browser's built-in Web Crypto API (crypto.subtle.digest()) to compute SHA-1, SHA-256, SHA-384, and SHA-512 hashes entirely on your device. Your input text is encoded into UTF-8 bytes using TextEncoder, passed to the digest function, and the resulting raw byte buffer is converted to a human-readable hexadecimal string. Because all computation happens client-side, your text is never transmitted to any server — making this tool safe for hashing sensitive strings during development and testing.

In addition to the four SHA family algorithms, the tool computes a simple hash using a djb2-inspired polynomial rolling algorithm — the kind commonly used in hash tables and checksums. While this simple hash is not cryptographic, it demonstrates how non-cryptographic hash functions work and is useful for illustrating the difference in output length and security properties compared to the SHA family.

Hashing is foundational to modern computing: it secures passwords, ensures file integrity, powers digital signatures, underpins blockchain technology, and enables efficient data lookup in hash tables. Understanding how to generate and interpret hash values is an essential skill for developers, security professionals, and data engineers alike.

SHA Algorithms: SHA-1, SHA-256, SHA-384, and SHA-512 Explained

The Secure Hash Algorithm (SHA) family was developed by the United States National Security Agency (NSA) and standardized by the National Institute of Standards and Technology (NIST). Each algorithm in the family produces a different output length and offers a different level of security. The tool generates hashes for all four major variants so you can compare outputs side by side.

Algorithm Output Length Hex Characters Security Status Common Use Cases
SHA-1 160 bits 40 Deprecated for security use Legacy checksums, Git object IDs
SHA-256 256 bits 64 Secure, widely recommended TLS certificates, code signing, blockchain
SHA-384 384 bits 96 Secure, higher collision resistance High-security applications, government use
SHA-512 512 bits 128 Maximum security in SHA-2 family File integrity, digital signatures, archival

SHA-1 was widely deployed throughout the 1990s and 2000s but was officially deprecated by NIST in 2011 after theoretical collision attacks were demonstrated. In 2017, Google's Project Zero successfully produced a practical SHA-1 collision (the SHAttered attack), confirming that SHA-1 should no longer be used for any security-sensitive purpose. It is still used in non-security contexts such as Git object identifiers, but even Git is migrating toward SHA-256.

SHA-256 and SHA-512 belong to the SHA-2 family, introduced in 2001. Both remain cryptographically secure as of 2026. SHA-256 is the standard choice for most applications due to its excellent balance of security and performance. SHA-512 produces a larger digest and can actually be faster than SHA-256 on 64-bit processors due to architectural advantages in how it processes data blocks.

SHA Hash Hex Output Conversion

hashHex = Array.from(new Uint8Array(hashBuffer)).map(b => b.toString(16).padStart(2, "0")).join("")

Where:

  • hashBuffer= Raw ArrayBuffer returned by crypto.subtle.digest(algorithm, data)
  • Uint8Array(hashBuffer)= Byte-by-byte view of the hash output buffer
  • b.toString(16).padStart(2, "0")= Converts each byte (0–255) to a two-character lowercase hex string (00–ff)
  • hashHex= Final concatenated hexadecimal string; length = (output bits / 4) characters

The Simple Hash: djb2-Inspired Non-Cryptographic Hashing

Alongside the cryptographic SHA algorithms, this tool also computes a simple hash using a polynomial rolling function similar to the djb2 algorithm popularized by Daniel J. Bernstein. The formula applied to each character is:

simpleHash = ((simpleHash << 5) - simpleHash) + charCode

This is equivalent to simpleHash = (simpleHash * 31) + charCode because left-shifting by 5 bits multiplies by 32, and subtracting the original value gives multiplication by 31. The expression simpleHash = simpleHash & simpleHash forces the value to stay within a 32-bit signed integer range using JavaScript's bitwise AND operation — effectively clamping to 32-bit signed integer overflow behavior. The final result is converted to its absolute value and formatted as an 8-character zero-padded hexadecimal string.

Non-cryptographic hash functions like this are designed for speed rather than security. They are used extensively in hash tables, data structures, caches, and distributed systems where fast lookup matters more than collision resistance. They are not suitable for security purposes: an attacker can easily construct two different inputs that produce the same output (a collision), and the output space of only 32 bits means there are at most ~4.3 billion distinct values — trivially exhausted by modern hardware.

Comparing the simple hash output against the SHA outputs in this tool vividly demonstrates the difference: SHA-256 produces 64 hex characters (256 bits), making a brute-force collision search astronomically harder, while the simple hash's 8 hex characters (32 bits) offer no practical security. Understanding this difference is important for any developer choosing between fast hashing for data structures versus secure hashing for integrity or authentication purposes.

Real-World Applications of Cryptographic Hashing

Cryptographic hash functions are among the most widely deployed primitives in modern computing. Understanding where and how they are used helps you apply them correctly in your own projects and appreciate the importance of algorithm selection.

Data integrity verification. When you download software, the provider often publishes a SHA-256 or SHA-512 checksum alongside the file. After downloading, you compute the hash of the received file and compare it to the published value. If they match, the file was not corrupted in transit or tampered with. Package managers like npm, apt, and Homebrew use SHA hashes internally to verify every package they install.

Digital signatures and certificates. TLS/SSL certificates — the foundation of HTTPS — rely on SHA-256 hashing as part of the signing process. A certificate authority signs a hash of the certificate data with its private key; browsers verify the signature using the authority's public key. The hash ensures that even a one-byte change to the certificate is detectable.

Password storage (with key derivation functions). While raw SHA hashes should not be used to store passwords directly (they are too fast, enabling brute-force attacks), they are components of proper password hashing schemes like PBKDF2, which applies HMAC-SHA256 thousands of times to make guessing computationally expensive. For password storage, prefer purpose-built functions like bcrypt or Argon2id.

Blockchain and distributed ledgers. Bitcoin and most other blockchains use SHA-256 to link blocks: each block header contains the SHA-256 hash of the previous block, making the chain tamper-evident. Changing any historical transaction would require recomputing every subsequent block's hash — an infeasible amount of work.

Content-addressable storage. Systems like Git use SHA hashes as object identifiers. Every commit, file, and directory tree in a Git repository is identified by its SHA hash. This means two repositories with identical content will have identical object hashes, enabling efficient deduplication and distributed consistency without central coordination.

Message authentication codes (HMAC). HMAC combines a secret key with a hash function to produce a tag that proves both data integrity and authenticity. HMAC-SHA256 is used extensively in API authentication (including AWS request signing and JSON Web Tokens), where the shared secret ensures only authorized parties can generate valid tags.

Key Properties of Cryptographic Hash Functions

A cryptographic hash function must satisfy several rigorous mathematical properties to be considered secure. Understanding these properties helps you reason about what hashing can and cannot guarantee in your applications.

Determinism. The same input always produces exactly the same output. This is what makes hash-based verification possible: if you hash the same file twice under the same algorithm, you will always get the same digest. This tool demonstrates determinism by producing consistent SHA outputs every time you hash the same text.

Preimage resistance (one-way property). Given a hash output h, it should be computationally infeasible to find any input m such that hash(m) = h. This property is what makes cryptographic hashes useful for commitment schemes and integrity checks — knowing the hash does not reveal the original data.

Second preimage resistance. Given an input m1 and its hash, it should be infeasible to find a different input m2 such that hash(m1) = hash(m2). This protects against targeted substitution attacks where an attacker wants to replace a specific piece of data with something that produces the same hash.

Collision resistance. It should be computationally infeasible to find any two distinct inputs m1 and m2 such that hash(m1) = hash(m2). The birthday paradox tells us that for a hash with n-bit output, a collision can theoretically be found in approximately 2n/2 operations. For SHA-256, that is 2128 operations — far beyond any conceivable attack.

Avalanche effect. A single-bit change in the input should change approximately half the bits in the output, making it impossible to predict how output changes based on small input changes. Try hashing "Hello" and "hello" with this tool — the outputs will be completely different despite only a single character case change.

Fixed output length. Regardless of whether the input is 1 character or 1 gigabyte, SHA-256 always produces exactly 256 bits (64 hex characters). This property enables efficient storage, comparison, and transmission of hash values independent of the original data size.

Choosing the Right Hash Algorithm for Your Use Case

With multiple SHA algorithms available, selecting the right one depends on your security requirements, performance constraints, and compatibility needs. The following guidance applies to the algorithms supported by this hash generator tool.

Use SHA-256 as your default. SHA-256 is the most widely supported, well-audited, and broadly recommended algorithm in the SHA-2 family. It is required by numerous standards including TLS 1.3, the FIPS 140-3 certification framework, and most modern API specifications. If you are unsure which algorithm to choose, SHA-256 is the correct answer for general-purpose cryptographic hashing in 2026.

Use SHA-512 for high-security applications or 64-bit optimization. SHA-512 is part of the SHA-2 family and produces a 512-bit digest. On 64-bit processors, SHA-512 can actually be faster than SHA-256 because it processes 1024-bit blocks in 64-bit word operations rather than 512-bit blocks. If you are building a system that requires a larger security margin or benefits from 64-bit arithmetic, SHA-512 is a strong choice.

Use SHA-384 when standards require it. SHA-384 is derived from SHA-512 (it is SHA-512 truncated to 384 bits with a different initialization vector) and is required by certain government and financial industry standards. It offers slightly more security than SHA-256 with lower overhead than full SHA-512. Use it when compliance requirements specify it explicitly.

Avoid SHA-1 for any new security applications. SHA-1 has been broken for collision resistance since the SHAttered attack in 2017 and was deprecated by NIST years earlier. It remains in this tool for educational purposes and compatibility testing only. Never use SHA-1 for digital signatures, certificate verification, or any scenario where collision resistance matters.

Never use raw SHA for password storage. SHA algorithms are designed to be fast — a modern GPU can compute billions of SHA-256 hashes per second. This makes them completely unsuitable for direct password hashing. Use bcrypt (cost ≥ 10), Argon2id, or PBKDF2 (≥ 600,000 iterations) instead. These purpose-built password hashing functions are deliberately slow and memory-intensive, making brute-force attacks infeasible.

Worked Examples

Hashing "Hello, World!" with SHA-256

Problem:

Generate the SHA-256 hash of the string "Hello, World!" and understand the process the tool uses.

Solution Steps:

  1. 1Encode the input string to UTF-8 bytes using TextEncoder: "Hello, World!" becomes 13 bytes (ASCII characters map 1-to-1 to UTF-8 bytes).
  2. 2Pass the byte array to crypto.subtle.digest("SHA-256", data). The Web Crypto API runs the SHA-256 compression function on the padded 512-bit input block.
  3. 3The SHA-256 digest produces a 32-byte (256-bit) raw output buffer (ArrayBuffer).
  4. 4Convert the ArrayBuffer to a Uint8Array, then map each byte to its two-character lowercase hex representation: byte 0xDF → "df", byte 0xFD → "fd", etc.
  5. 5Join all 32 two-character hex strings to produce the 64-character final output.

Result:

SHA-256("Hello, World!") = dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d (64 hex characters = 256 bits)

Comparing Output Lengths Across All Algorithms

Problem:

Hash the single-character string "A" with all supported algorithms to observe how output length varies while input stays constant.

Solution Steps:

  1. 1Input: "A" (1 character, 1 UTF-8 byte, decimal value 65).
  2. 2SHA-1 output: 6dcd4ce23d88e2ee9568ba546c007c63d9131c1b — 40 hex characters = 160 bits.
  3. 3SHA-256 output: 559aead08264d5795d3909718cdd05abd49572e84fe55590eef31d9f3a2d09e4 — 64 hex characters = 256 bits.
  4. 4SHA-384 output: 72cdc864afb8698ded9d748fc68a2d5af1e1e7df3c80ae68f9fccf7e571c44c3d7b4d1b5ae9a7b6bb5f5cbcf6c6b66b71 — 96 hex characters = 384 bits.
  5. 5SHA-512 output: 21b4f4bd9e64ed355c3eb676a28ebedaf6d8f17bdc365995b319097153044080516bd083bfcce66121a3072646994c8430cc382b8dc543e84880183bf856cff5 — 128 hex characters = 512 bits.

Result:

All algorithms produce completely different output lengths (40/64/96/128 hex characters) from the same 1-byte input, demonstrating fixed output length independent of input size.

Demonstrating the Avalanche Effect

Problem:

Hash "password" and "Password" (capitalizing the first letter) with SHA-256 to show how a single-bit change produces a completely different hash.

Solution Steps:

  1. 1Input 1: "password" — 8 bytes, all lowercase.
  2. 2SHA-256("password") = 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
  3. 3Input 2: "Password" — 8 bytes, first character changed from lowercase "p" (0x70) to uppercase "P" (0x50), a single-bit difference in the 6th bit of the first byte.
  4. 4SHA-256("Password") = 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb5b1ef26ce3a8f05ec
  5. 5Compare the two outputs: they share zero recognizable pattern. Approximately 50% of the output bits changed despite only 1 bit changing in the input — the hallmark of the SHA-256 avalanche effect.

Result:

Changing one character (one bit) in the input completely changes the SHA-256 output, confirming that hash outputs cannot be predicted from partial input knowledge.

Computing the Simple Hash for "Hello"

Problem:

Trace through the djb2-inspired simple hash algorithm the tool uses for the input "Hello" to understand how the 8-character hex output is derived.

Solution Steps:

  1. 1Initialize simpleHash = 0. Process each character of "Hello" (char codes: H=72, e=101, l=108, l=108, o=111).
  2. 2After "H": simpleHash = ((0 << 5) - 0) + 72 = 72.
  3. 3After "e": simpleHash = ((72 << 5) - 72) + 101 = (2304 - 72) + 101 = 2333.
  4. 4After "l": simpleHash = ((2333 << 5) - 2333) + 108 = (74656 - 2333) + 108 = 72431.
  5. 5After "l": simpleHash = ((72431 << 5) - 72431) + 108 = (2317792 - 72431) + 108 = 2245469.
  6. 6After "o": simpleHash = ((2245469 << 5) - 2245469) + 111 = (71854208 - 2245469) + 111 = 69608850.
  7. 7Result: Math.abs(69608850).toString(16).padStart(8, "0") = "042655d2" (8 hex characters).

Result:

Simple Hash("Hello") ≈ "042655d2" — an 8-character hex string (32-bit value), illustrating the compact but non-secure nature of non-cryptographic hash functions.

Tips & Best Practices

  • Use SHA-256 as your default algorithm for new projects — it is the most broadly supported and recommended hash in the SHA-2 family.
  • Never use raw SHA hashes to store passwords; always use a purpose-built slow hashing function like bcrypt or Argon2id.
  • The bit count displayed next to each hash equals the hex character count multiplied by 4 — each hex digit encodes exactly 4 bits.
  • SHA-1 is deprecated for security use since the 2017 SHAttered collision attack — use it only for legacy compatibility and never for certificates or signatures.
  • Test the avalanche effect: change one character in your input and observe how completely different the hash output becomes.
  • For verifying downloaded files, compare the SHA-256 or SHA-512 hash the publisher provides against the hash you compute locally — any mismatch indicates tampering or corruption.
  • On 64-bit processors, SHA-512 can actually be faster than SHA-256 for large inputs because it uses 64-bit word operations on larger 1024-bit blocks.
  • HMAC (Hash-based Message Authentication Code) extends SHA hashing with a secret key for API authentication — use HMAC-SHA256 for signing API requests and JWT tokens.

Frequently Asked Questions

Yes — this tool computes all hashes entirely in your browser using the Web Crypto API. Your input text is never sent to any server, logged, or stored anywhere outside your device. The tool explicitly uses client-side JavaScript with no network requests for hashing operations. You can verify this by checking the network tab in your browser's developer tools — no requests are made when you click "Generate Hashes".
No — cryptographic hash functions are intentionally designed to be one-way. There is no algorithm that can take a SHA-256 hash and recover the original input. The only practical approach for an attacker is to hash large numbers of candidate inputs and compare outputs — known as a brute-force or dictionary attack. For short or common inputs like passwords, this is feasible with enough compute power, which is why passwords should never be stored as raw SHA hashes.
Hash functions are deterministic — given identical inputs, they always produce identical outputs. This property is fundamental to their usefulness for integrity verification: if hash(file) today equals hash(file) tomorrow, you know the file has not changed. The SHA algorithms use fixed mathematical operations (bitwise functions, modular addition, shifts) with no random components, so the same input always produces the same digest.
Encryption is a reversible two-way transformation that requires a key: you can encrypt data and later decrypt it back to the original using the correct key. Hashing is a one-way irreversible transformation: you can compute a hash from data but cannot recover the original data from the hash. Encryption protects confidentiality of data that needs to be retrieved; hashing verifies integrity of data without revealing the data itself. Never use hashing where you need to recover the original value, and never use encryption where one-way verification is sufficient.
Each hexadecimal character represents exactly 4 bits (since hex is base-16, and 2^4 = 16). So a 64-character SHA-256 hex string represents 64 × 4 = 256 bits. The tool displays this conversion as a quick reference so you can confirm the algorithm output size at a glance. SHA-1 produces 40 hex chars (160 bits), SHA-256 produces 64 chars (256 bits), SHA-384 produces 96 chars (384 bits), and SHA-512 produces 128 chars (512 bits).
In theory, yes — since the input space is infinite and the output space is finite, collisions must exist by the pigeonhole principle. In practice, finding a collision for SHA-256 or SHA-512 is computationally infeasible: a collision search for SHA-256 requires approximately 2^128 hash computations, which would take longer than the age of the universe even with all current computing power on Earth. SHA-1 is the exception — practical collisions have been demonstrated, which is why it is deprecated for security use.
Before a string can be hashed, it must be converted into a sequence of bytes. UTF-8 is the encoding used by this tool (via TextEncoder) to convert JavaScript strings into bytes. For standard ASCII characters (letters, digits, common punctuation), each character maps to exactly one byte, so "Characters" and "Bytes (UTF-8)" counts will match. For non-ASCII characters like accented letters (é, ü) or emoji, UTF-8 uses 2–4 bytes per character, so the byte count will exceed the character count. The hash is always computed from the bytes, not the characters.
Both are secure choices, but SHA-256 is the more common standard for file integrity and is widely supported across operating systems, package managers, and download verification tools. SHA-512 offers a larger security margin and can be faster on 64-bit hardware for large files, but the practical difference is negligible for most use cases. Use SHA-256 for broad compatibility; use SHA-512 if your specific workflow or compliance requirements call for it.

Sources & References

Last updated: 2026-06-05

💡

Help us improve!

How would you rate the Hash Generator?

<>

Editorial Note

MyCalcBuddy Editorial Team

This page is maintained as an educational calculator reference.

Source

Formula Source: Standard Mathematical References

by Various

UpdatedLast reviewed: May 2026
CheckedFormula checks are based on standard references and internal QA review.