Local hash, checksum, MD5 legacy and HMAC workbench
Generate MD5, SHA-1, SHA-256, SHA-384 and SHA-512 checksums locally, hash text or a small file, compare an expected digest, switch between hex and Base64 output, create HMAC values and review the security difference between checksums, signatures and password hashing.
Text, file hashing and HMAC generation run in your browser. Do not use plain MD5, SHA-1 or SHA-256 hashes as password storage.
Hash generators are for fingerprints, not secrecy
A hash is a deterministic fingerprint. The same input creates the same digest, while even a tiny change creates a very different result. That makes hashes useful for file checksums, release downloads, cache keys, duplicate detection, API examples and integrity checks. But a hash is not encryption: there is no decrypt button, and a plain hash is not enough to protect passwords or bearer secrets.
This hash generator is designed for everyday developer work. It calculates MD5 for legacy checksum comparison, SHA-1 for old systems, and SHA-256, SHA-384 and SHA-512 for modern integrity checks. It can hash typed text or a small local file, compare a pasted checksum, output hex or Base64, generate an HMAC with a secret and explain which results are safe for documentation, debugging or security-sensitive workflows.
How to choose an algorithm
Use SHA-256 as the default checksum when you control the format. Use SHA-512 when a project already expects it or when long digests are acceptable. Use MD5 only when you must compare a legacy checksum from an old tool; MD5 is broken for collision resistance and should not be used for new security decisions. Use HMAC when the receiver needs to know that a message came from someone with the shared secret, not just that the bytes were unchanged.
- MD5 is included for legacy checksums and migration work, not for security.
- SHA-1 is also legacy for security-sensitive use, but still appears in old systems.
- SHA-256 is the practical default for modern checksums.
- HMAC combines a message and secret for signed webhooks or API examples.
- File hashing is useful for checking downloaded archives or generated exports.
Common hash debugging examples
If a vendor publishes a checksum for a download, hash the file and compare the expected digest. If an API signs webhook payloads, compare the raw body exactly, not a reformatted JSON object. If two payloads should be identical but the hash differs, check whitespace, encoding, line endings and field order. For passwords, move to a password hashing algorithm such as Argon2, bcrypt or scrypt instead of storing a fast SHA digest.
Common questions
Is hashing the same as encryption?
No. Encryption is reversible with a key. Hashing is a one-way fingerprint, although weak or predictable inputs can still be guessed.
Why include MD5 if it is weak?
Many old checksums are still published as MD5. This tool labels it as legacy so it can be used for compatibility without pretending it is secure.
When should I use HMAC?
Use HMAC when you need message authentication with a shared secret, for example webhook signatures or internal API examples.
Which hash should I use to store passwords?
None of these. Use a slow password KDF such as bcrypt, scrypt or Argon2. General hashes like MD5 and SHA are far too fast and unsuitable for password storage.
Is MD5 still safe to use?
Only for non-security checksums. MD5 is broken for collision resistance, so never use it for signatures or integrity against an attacker.
What is the difference between a hash and a checksum?
A checksum such as CRC32 detects accidental corruption; a cryptographic hash such as SHA-256 also resists deliberate tampering.
