Hash Generator — MD5, SHA-1, SHA-256, SHA-512
Compute MD5, SHA-1, SHA-256, and SHA-512 hashes of any text. UTF-8 safe, lowercase hex output, matches openssl and standard libraries. Runs entirely in your browser.
About this tool
WRRK's hash generator uses the browser's built-in WebCrypto API for SHA-1, SHA-256, and SHA-512 — the same implementation Chrome, Firefox, and Safari ship for TLS and Subresource Integrity. MD5 is computed by a small inline JavaScript implementation (the WebCrypto spec deliberately omits MD5 because it's broken cryptographically). All four hashes appear simultaneously so you don't have to switch tabs.
Output is lowercase hex — byte-for-byte compatible with openssl dgst, hashlib.sha256(...).hexdigest(), crypto.createHash(...).digest('hex'), and Java's MessageDigest. Inputs are UTF-8 encoded before hashing, so emoji and non-Latin scripts produce identical results across languages. Nothing is uploaded — your text stays in the browser, which matters when fingerprinting confidential contracts, secrets, or proprietary code.
How to generate a hash (5 steps)
- Paste your input. Drop text, JSON, or any string into the left panel. The hash updates as you type.
- Read all four hashes. MD5, SHA-1, SHA-256, and SHA-512 are computed simultaneously and shown in lowercase hex.
- Pick the right algorithm. Use SHA-256 for general-purpose work. SHA-512 for strongest output. SHA-1 / MD5 only for legacy or non-security checksums.
- Copy the hash. Click Copy next to any algorithm to grab its hash to the clipboard.
- Compare against expected value. Paste the expected checksum next to the result to spot mismatches at a glance.
Use cases
- Verifying file integrity against a published checksum
- Generating ETags, cache keys, or fingerprints for static assets
- Computing webhook signatures (HMAC bodies before signing)
- Generating commit-style identifiers for content-addressed storage
- Spotting changes in JSON config snapshots over time
- Inspecting Subresource Integrity (SRI) hashes for <script integrity="…">
- Quick deduplication of strings before storing them in a database
Frequently asked questions
+−What is a hash function?
A hash function maps any input — a word, a file, a paragraph — to a fixed-length string of hex characters. Hashes are deterministic (same input always produces the same output) and one-way (you can't reverse the hash to recover the input). They're used for fingerprinting files, verifying integrity, and checksums.
+−Which hash should I use: MD5, SHA-1, SHA-256, or SHA-512?
Use SHA-256 by default — it's fast, secure, and the modern industry standard. SHA-512 is stronger but produces a longer hash. SHA-1 is deprecated for security but still common in Git commit IDs and some legacy systems. MD5 is broken cryptographically (collisions exist) — only use it for non-security checksums like CDN ETags or quick file fingerprints.
+−Is the input sent to a server?
No. SHA-1, SHA-256, and SHA-512 use the browser's built-in WebCrypto API. MD5 is computed by a small inline JavaScript implementation. Nothing is uploaded — your input never leaves your device.
+−Are the hashes UTF-8 safe?
Yes. The tool encodes input as UTF-8 before hashing, so emoji, Chinese, Arabic, and accented characters produce the same hash you'd get from openssl, Python's hashlib, Node's crypto module, or any other standard implementation.
+−Can I use these hashes for password storage?
No — never. MD5 and SHA family hashes are too fast for password hashing, which makes brute-force attacks easy. For passwords, use a slow, salted KDF: bcrypt, scrypt, Argon2, or PBKDF2. This tool is for fingerprinting and integrity checks, not password protection.
+−Are the outputs the same as openssl or Python hashlib?
Yes — output is lowercase hex matching openssl dgst -sha256, Python hashlib.sha256().hexdigest(), Node crypto.createHash().digest('hex'), and Java MessageDigest. UTF-8 byte-for-byte compatible.
+−Why does an empty input still show hashes?
It doesn't — the tool deliberately blanks the output for empty inputs. Hashes for empty strings are well-known constants (e.g. SHA-256 of '' is e3b0c44…b855) but showing them is misleading because they look identical for all empty fields.