🛠️Dev Toolbox

🛡️ Hash Generator (MD5/SHA)

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text or file — all computed locally in your browser for maximum privacy.

You download a Linux ISO. The sidebar on the download page publishes an SHA-256 digest. How do you know the bits on your disk match the bits the maintainers actually published? You hash the local file and compare the two strings. That is what this tool does -- for text, for files, for any data you feed it.

Pick an algorithm (MD5, SHA-1, SHA-256, SHA-384, SHA-512). Drop something in. Get a hex digest back, same browser, no network, no upload to a third-party server. The Web Crypto API does the computation, so it is as efficient as your hardware allows.

The gotcha that generates the most support tickets: hashing the wrong thing.

If you hash the text hello, you get 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 (SHA-256). If you hash the file hello.txt containing hello\n (note the trailing newline your editor added invisibly), you get 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03. Same word, different byte stream, unrelated hashes. When someone says "my SHA-256 does not match," the first question is almost always "did you hash the string, or the file containing the string?"

Do not use MD5 or SHA-1 for security purposes. Both are broken for collision resistance; MD5 collisions can be generated in seconds on commodity hardware. Their only remaining legitimate uses are content-addressable storage keys and non-adversarial checksums ("did this file transfer correctly?"). For anything adversarial -- password storage (use bcrypt), file signing, certificates -- SHA-256 floor, SHA-512 if you are paranoid.

Notes worth bookmarking:

  • Determinism is the contract. The same input hashed by SHA-256 produces the same digest on every machine, in every browser, until the sun burns out. If your hash differs from mine, the inputs differed -- not the algorithm.

  • Hashes are not encryption. A digest has no inverse. There is no operation that recovers hello from 2cf24dba.... If you need a reversible transformation, you want AES with a key, not SHA.

  • Files hash on their bytes. A JPEG, a PDF, an empty file, a 2 GB video -- it just works. The tool reads files via the streaming Web Crypto API, so memory footprint stays flat.

  • Hex casing does not matter for matching -- ABC and abc decode to the same bytes. Pick one convention in your codebase and stick with it.

  • Verify by comparing the full digest, never a prefix. Truncating a hash raises collision risk dramatically.

For "does this artifact match the manifest" workflows, SHA-256 is the answer. For "what is a stable key to dedupe this content," MD5 is sometimes acceptable. Never for "is this signature valid."

More Developer Tools

Explore our complete collection of 60+ free developer tools at dev.aisoosoo.com. All tools run 100% in your browser — no signup, no data sent to servers.