liminfo

Hash Generator

Free web tool: Hash Generator

Compare Hashes

Paste two hash values to check if they match (case-insensitive).

About Hash Generator

The Hash Generator is a comprehensive cryptographic toolkit that computes hash digests, generates HMACs, hashes files, and compares hash values — all entirely in your browser. The Hash tab computes MD5 (128-bit), SHA-1 (160-bit), SHA-256 (256-bit), and SHA-512 (512-bit) digests simultaneously for any text input. The HMAC tab generates keyed-hash message authentication codes using HMAC-SHA-256 and HMAC-SHA-512 with a secret key you provide. The File Hash tab lets you upload any file and compute its SHA-1, SHA-256, or SHA-512 checksum for integrity verification.

Hashing and HMAC generation are fundamental to software development and security. Developers use SHA-256 hashes to verify file integrity after downloads, generate content-addressable identifiers for caching, and create checksums for database migrations. HMAC is essential for webhook signature verification (e.g., GitHub, Stripe, Slack webhooks), API authentication, JWT signing, and secure message authentication. The File Hash feature replaces command-line tools like shasum and openssl dgst, allowing you to verify downloaded software, firmware images, or ISO files directly in the browser.

The SHA and HMAC computations use the browser's native Web Crypto API (crypto.subtle), which provides hardware-accelerated, standards-compliant implementations. MD5 is computed via a pure-JavaScript implementation since it is not available in Web Crypto. File hashing reads the file via the File API and processes it through crypto.subtle.digest. All processing runs entirely in your browser — no data is ever transmitted to a server. The built-in Compare section lets you paste any two hash strings and check whether they match (case-insensitive), which is invaluable for verifying downloads and checksums.

Key Features

  • Four hash algorithms in one tool: MD5, SHA-1, SHA-256, and SHA-512 computed simultaneously from text input
  • HMAC generation with HMAC-SHA-256 and HMAC-SHA-512 using the Web Crypto API for webhook signature verification
  • File hashing: upload any file to compute its SHA-1, SHA-256, or SHA-512 checksum directly in the browser
  • Hash comparison: paste two hash values to check if they match (case-insensitive) for download verification
  • SHA and HMAC powered by the native Web Crypto API (crypto.subtle) for maximum speed and correctness
  • One-click copy for each individual hash result, ready to paste into scripts or config files
  • Lowercase hexadecimal output matching the standard format used by shasum, md5sum, and openssl
  • Full UTF-8 support — correctly hashes international text, emoji, and special characters
  • 100% client-side processing — your text, keys, and files never leave the browser or touch any server
  • Tabbed interface with Hash, HMAC, and File Hash sections for a clean, organized workflow

Frequently Asked Questions

What is a cryptographic hash function?

A cryptographic hash function takes an input of any length and produces a fixed-size output (the "digest") that is deterministic, fast to compute, and practically irreversible. Even a one-character change in the input produces a completely different digest. Hash functions are used for data integrity verification, digital signatures, password storage, and content addressing.

What is HMAC and when should I use it?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce an authentication tag. Unlike plain hashing, HMAC proves both the integrity and authenticity of a message — only someone with the secret key can generate the correct HMAC. Use HMAC for webhook signature verification (GitHub, Stripe, Slack), API request signing, JWT token validation, and any scenario where you need to verify that a message was not tampered with and came from a trusted source.

Which hash algorithm should I use?

For security-sensitive tasks such as digital signatures, file integrity, or HMAC authentication, use SHA-256 or SHA-512. MD5 and SHA-1 are cryptographically broken (vulnerable to collision attacks) and should only be used for non-security purposes like checksums for accidental corruption detection or legacy system compatibility.

How does file hashing work in the browser?

When you upload a file, the browser reads its raw bytes using the File API (file.arrayBuffer()), then passes the binary data to crypto.subtle.digest() which computes the SHA hash. The file never leaves your computer — no upload occurs. This produces the same checksum as running shasum or sha256sum on the command line, making it ideal for verifying downloaded software, firmware, or ISO files.

How does the hash comparison work?

The Compare section performs a case-insensitive string comparison of two hash values. This accounts for the common case where one tool outputs uppercase hex and another outputs lowercase. Simply paste both hashes and click Compare — you will see a clear match or mismatch result. This is useful for verifying file downloads against published checksums.

Is MD5 still safe to use?

MD5 is not safe for cryptographic purposes — practical collision attacks have been demonstrated since 2004. However, MD5 remains useful for non-security checksums: verifying file downloads against accidental corruption, generating cache keys, or matching legacy systems that require MD5. Never use MD5 for password hashing or digital signatures.

Why do all four hashes have different lengths?

Each algorithm produces a different digest size: MD5 outputs 128 bits (32 hex characters), SHA-1 outputs 160 bits (40 hex chars), SHA-256 outputs 256 bits (64 hex chars), and SHA-512 outputs 512 bits (128 hex chars). Longer digests provide stronger collision resistance and are harder to brute-force.

Can I reverse a hash back to the original text?

No. Cryptographic hash functions are designed to be one-way — there is no mathematical method to recover the original input from a hash. Attackers may attempt dictionary attacks or rainbow tables against weak inputs like short passwords, which is why password hashing uses specialized algorithms (bcrypt, Argon2) with salts and iteration counts.

Is my data safe when using this tool?

Yes. All computations (SHA digests, HMAC signatures, and file hashes) run entirely in your browser using the native Web Crypto API and local JavaScript. No data — text, secret keys, or file contents — is transmitted to any server, stored in any database, or logged anywhere. This makes it safe to hash sensitive strings like API keys, tokens, passwords, and confidential files.

Will the output match command-line tools like shasum?

Yes, for identical input the hexadecimal output matches shasum, sha256sum, openssl dgst, and similar utilities. For HMAC, the output matches openssl dgst -hmac. Note that command-line tools reading files may include a trailing newline character, so ensure your inputs match exactly when comparing digests.