Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes using the Web Crypto API. Verify hashes by comparing against known values. All processing happens in your browser.
Enter text and click “Generate Hash” to see results
A core property of cryptographic hashes is the avalanche effect: changing a single bit of input flips approximately 50% of the output bits. Hash the word “hello” with SHA-256, then hash “Hello” — the two 64-character hex strings share zero recognizable pattern. This makes it impossible to work backwards from a hash to its input, or to find a nearby input that produces a similar hash. Every hash is a unique digital fingerprint.
| Algorithm | Output | Security |
|---|---|---|
| SHA-1 | 160 bits (40 hex) | Deprecated |
| SHA-256 | 256 bits (64 hex) | Recommended |
| SHA-384 | 384 bits (96 hex) | Strong |
| SHA-512 | 512 bits (128 hex) | Maximum |
SHA-1 was broken in 2017 when Google demonstrated the first practical collision (SHAttered attack) requiring 9 × 1018 computations. SHA-256 has a collision resistance of 2128operations — with current technology, that would take all the world's computing power billions of years. SHA-384 and SHA-512 use the same SHA-2 family but with wider internal state, providing even higher security margins for sensitive applications.
File integrity:Download a Linux ISO and compare its SHA-256 hash against the published value — if they match, the file is untampered. Git version control: Every commit is identified by a SHA-1 hash of its contents (Git is migrating to SHA-256). Digital signatures:A document is hashed first, then the hash is encrypted with a private key — verifiers decrypt with the public key and compare hashes. Blockchain:Bitcoin uses double-SHA-256 to link blocks, making the chain's history computationally immutable.
This tool uses the browser's built-in crypto.subtle.digest() API — the same implementation used by HTTPS, WebAuthn, and the Web Payments API. It runs in a sandboxed environment with hardware acceleration on supported platforms. No JavaScript crypto library is involved, eliminating an entire class of supply-chain vulnerabilities. Your input text never leaves the browser.
SHA-1 is deprecated for security-critical uses (certificates, signatures) but remains widely used for non-security checksums, Git commit IDs, and legacy system compatibility. We include it so you can verify hashes against older systems. For any new security application, always use SHA-256 or above.
Both belong to the SHA-2 family. SHA-256 uses 32-bit words and produces a 256-bit digest; SHA-512 uses 64-bit words and produces a 512-bit digest. On 64-bit processors, SHA-512 can actually be fasterthan SHA-256 because its internal operations align with the CPU's native word size. SHA-384 is a truncated version of SHA-512 with a different initialization vector, offering a middle ground.
Paste a known hash into the “Verify Against” field, then generate a hash of your text. The tool performs a constant-time comparison — checking every character regardless of where a mismatch occurs. If the hashes match, the text is identical to whatever produced the original hash. This is the same principle behind software download verification and database integrity checks.