NordVPN
SponsoredStrict no-logs VPN with 6,400+ servers in 111 countries. Threat Protection blocks ads, trackers, and malware while you work online.
Get NordVPN →Type any text to see all four SHA hashes simultaneously. Useful for verifying file integrity, generating signatures, debugging API request signing, and learning cryptography.
A cryptographic hash function takes input of any size and produces a fixed-size output (the 'digest'). Same input always gives the same digest. Tiny input change produces a wildly different digest (avalanche). Reversing the digest to find the input is computationally infeasible for cryptographically strong functions like SHA-256.
Hashing is not encryption. There's no key, no decryption. Common confusions: hashing passwords (use bcrypt/argon2 instead — they slow down brute force), hashing arbitrary text and then 'decoding' it (impossible by design).
SHA-256 is the modern default. Used in Bitcoin, TLS certificates, JWT signatures (HS256), file integrity hashes. 256 bits is plenty for any realistic security need.
SHA-384 and SHA-512 are larger variants of the same family. SHA-512 is sometimes faster on 64-bit hardware. Use them when a protocol or standard explicitly requires.
SHA-1 is deprecated for security but still appears in legacy systems (older TLS, git commit hashes). Don't use it for new security-critical work — collisions have been demonstrated since 2017. We include it for backward compatibility.
File integrity: download a file and a hash; recompute the hash locally; compare. If they match, the file wasn't altered in transit.
Git commits: each commit's identifier is a SHA-1 hash of its contents. Hashing a commit message reveals nothing on its own — you need the rest of the commit to reproduce it.
API request signing: HMAC-SHA-256 is the standard for AWS, GitHub, and many APIs. The hash itself is just one part of HMAC; the API will provide the exact construction it expects.
Caching keys: hashing a URL or set of params gives a stable, fixed-length cache key.
MD5 collisions have been demonstrated since 2004; the Web Crypto API doesn't expose it. For non-security uses (cache keys, file deduplication), use SHA-256 — it's only marginally slower and has no collision risk.
Not directly via this tool — paste text only. For files, use your OS shell: `shasum -a 256 myfile.txt` on macOS/Linux, `Get-FileHash` on Windows.
Numbers in names refer to output bit length: SHA-256 produces 256 bits = 64 hex chars; SHA-512 produces 512 bits = 128 hex chars. Twice as long.
In theory yes (pigeonhole principle), in practice no for SHA-256 with current technology. SHA-1 collisions have been demonstrated; SHA-256 has not.
No. Passwords need slow hashing (bcrypt, scrypt, argon2) plus a salt. Plain SHA-256 is too fast — attackers can hash billions per second.
By definition. Hash functions are deterministic. If you need different outputs each time (e.g., 'salt'), prepend or append a random value to the input.
No. Web Crypto runs entirely in your browser; nothing is transmitted.
HMAC adds a secret key to a hash function. This tool computes plain hashes; for HMAC, use a dedicated tool or a programming library.
Strict no-logs VPN with 6,400+ servers in 111 countries. Threat Protection blocks ads, trackers, and malware while you work online.
Get NordVPN →Managed cloud hosting for WordPress and web apps on DigitalOcean, Vultr, and AWS. Fast setup, no server headaches.
Try Cloudways →Hire freelancers for design, writing, dev, and marketing — or sell your own services. Millions of gigs at every budget.
Browse Fiverr →