A hash function takes any input, whether it is a single word or an entire database, and produces a fixed-length output that looks like random gibberish. The same input always produces the same output. Change even one character, and the output changes completely.
"Hello" hashed with SHA-256 produces: 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969
"hello" (lowercase h) produces: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
Completely different outputs from a one-character change. This property makes hashes useful for verifying data integrity, storing passwords securely, and detecting file tampering.
The Hash Generator computes hashes using SHA-256, SHA-512, MD5, and other algorithms, all in your browser. No data is sent to any server.
How Hash Functions Work (Without the Math)
Think of a hash function as a blender. You put in ingredients (your data), the blender runs (the algorithm processes the bits), and out comes a smoothie (the hash). You cannot reverse the process. You cannot look at the smoothie and figure out exactly which ingredients went in. And if you put the same ingredients in again, you get the same smoothie.
More technically, hash functions work by running data through a series of bitwise operations: shifting bits, XORing values, modular addition. Each round mixes the input more thoroughly, like multiple passes through the blender. The number of rounds varies by algorithm. SHA-256 runs 64 rounds. SHA-512 runs 80.
Key properties of a good hash function:
Deterministic: Same input always produces the same output. This is what makes verification possible.
One-way: Given a hash, you cannot compute the original input. You would need to try every possible input until one matches.
Collision-resistant: It should be practically impossible to find two different inputs that produce the same hash. MD5 fails this property, which is why it is considered broken.
Avalanche effect: A tiny change in input produces a completely different hash. No relationship between similar inputs and their hashes.
SHA-256 vs MD5: Why MD5 Is Broken
MD5 was designed in 1991 and produces a 128-bit (32-character hex) hash. SHA-256 was designed in 2001 and produces a 256-bit (64-character hex) hash.
MD5 is cryptographically broken. Researchers have demonstrated practical collision attacks since 2004. This means you can create two different files that produce the same MD5 hash. In 2012, the Flame malware used MD5 collisions to forge a Microsoft digital certificate. The attack is not theoretical. It has been weaponized.
What MD5 is still okay for: - Checksums for data transfer (detecting accidental corruption, not malicious tampering) - Cache keys and hash table buckets (no security requirement) - Non-security deduplication (finding identical files)
What MD5 should never be used for: - Password hashing (use bcrypt or Argon2 instead) - Digital signatures - Certificate validation - Any context where collision resistance matters
SHA-256 is currently secure. No practical attacks exist against it. It is used in TLS certificates, Bitcoin mining, digital signatures, and government systems. Unless a breakthrough in mathematics occurs, SHA-256 will remain secure for decades.
The Hash Generator lets you compare outputs from both algorithms side by side. Try the same input with MD5 and SHA-256 to see the difference in output length and format.
MD5 was designed in 1991 and produces a 128-bit (32-character hex) hash.
Practical Use Cases for Hashing
File integrity verification. Download a file from the internet, compute its hash, and compare it to the hash published by the provider. If they match, the file has not been tampered with. Linux distributions publish SHA-256 hashes for their ISO downloads for exactly this purpose.
`bash
sha256sum ubuntu-24.04.iso
# Compare output with the hash on the download page
`
Password storage. Never store passwords in plain text. Hash them with bcrypt or Argon2 before storing. When a user logs in, hash their input and compare it to the stored hash. The Hash Generator demonstrates how different algorithms transform the same password.
Data deduplication. Hash every file in a backup system. If two files have the same hash, they are (almost certainly) identical. Store only one copy and reference it twice. Cloud storage services use this technique to save disk space.
API request signing. Many APIs require you to sign requests by hashing the request body with a secret key (HMAC). This proves that the request came from you and has not been modified in transit.
Git version control. Every commit, tree, and blob in Git is identified by its SHA-1 hash (Git is migrating to SHA-256). When you run git log, those 40-character hex strings are SHA-1 hashes of each commit's content.
Blockchain. Each block in a blockchain contains the hash of the previous block, creating a tamper-evident chain. Changing any block would change its hash, breaking the chain from that point forward.
Hashing vs Encryption: They Are Not the Same Thing
People confuse hashing and encryption because both transform data into unreadable output. But they serve different purposes.
Hashing is one-way. You cannot recover the original data from a hash. This is intentional. When you hash a password, you never need to reverse it. You only need to compare.
Encryption is two-way. You encrypt data so that someone with the right key can decrypt it and read the original. If you encrypt a message, the recipient needs to decrypt it to read it.
Use hashing for: password storage, data integrity checks, digital signatures, deduplication.
Use encryption for: storing sensitive data that needs to be read later (credit card numbers, personal information), secure communication (HTTPS, email encryption), file protection.
The Text Encryptor handles encryption, letting you encrypt and decrypt text with a password. The Hash Generator handles hashing, where the transformation is permanent.
A common mistake is using encryption for passwords. If you encrypt passwords, an attacker who gets the encryption key can decrypt every password in the database at once. With hashing, there is no key to steal, and each password must be cracked individually.
People confuse hashing and encryption because both transform data into unreadable output.
Hash Algorithms Compared
Here is a quick reference for the most common hash algorithms:
| Algorithm | Output Size | Speed | Security Status | |-----------|------------|-------|----------------| | MD5 | 128 bits (32 hex chars) | Very fast | Broken (collisions found) | | SHA-1 | 160 bits (40 hex chars) | Fast | Weak (collisions demonstrated) | | SHA-256 | 256 bits (64 hex chars) | Moderate | Secure | | SHA-512 | 512 bits (128 hex chars) | Moderate | Secure | | SHA-3 | Variable (224-512 bits) | Moderate | Secure | | BLAKE3 | 256 bits (64 hex chars) | Very fast | Secure | | bcrypt | 184 bits | Intentionally slow | Secure (for passwords) | | Argon2 | Variable | Intentionally slow | Secure (for passwords) |
For general-purpose hashing (checksums, integrity, dedup): use SHA-256 or BLAKE3.
For password hashing: use Argon2 (preferred) or bcrypt. Never use SHA-256 or MD5 for passwords because they are too fast. Speed is a disadvantage in password hashing because it lets attackers try more guesses per second.
For legacy compatibility: MD5 and SHA-1 are acceptable only in non-security contexts.
The Hash Generator supports the most common algorithms. Use the Password Generator alongside it to create strong passwords that are resistant to cracking even if the hash is exposed.
FAQ
Can two different inputs produce the same hash?
Yes, this is called a collision. For MD5 and SHA-1, deliberate collisions have been demonstrated. For SHA-256, no collision has ever been found, and finding one is considered computationally infeasible with current technology.
Why is MD5 still used if it is broken?
MD5 is fast and widely supported. For non-security uses (checksums, cache keys, file deduplication where tampering is not a concern), it works fine. The problem is only when collision resistance matters, such as digital signatures and certificate validation.
How do I verify a file download using a hash?
Download the file and the hash value from the provider's website. Open a terminal and run sha256sum filename (Linux/Mac) or use the Hash Generator to compute the hash. Compare the output to the published hash. If they match, the file is intact.
Is SHA-512 more secure than SHA-256?
Both are considered equally secure against known attacks. SHA-512 has a larger output, which provides a wider margin against brute force, but no practical attack reduces either to a feasible target. Choose based on your needs: SHA-256 is faster on 32-bit systems, SHA-512 is faster on 64-bit systems.
Can I hash a file instead of text?
Yes. Hash functions work on any binary data, not just text. Command-line tools like sha256sum hash files directly. The Hash Generator works with text input. For file hashing, use your operating system's built-in tools or a dedicated file hash checker.
### Can two different inputs produce the same hash.
Password Security in 2026: How to Create and Manage Strong Passwords
A practical guide to password security: how attacks work, what makes passwords strong, and how to use password managers and two-factor authentication effectively.
Online Privacy: Why Browser-Based Tools Are Safer Than Cloud Services
Understand how your data is handled by online tools, the risks of cloud processing, and why browser-based tools offer a fundamentally safer alternative.
Understanding Hash Functions: SHA-256, MD5, and When to Use What
A clear explanation of cryptographic hash functions: how they work, the differences between MD5, SHA-1, SHA-256, and SHA-3, and practical guidance on choosing the right one.