Dev Utilities
How to Generate MD5, SHA-256 and SHA-512 Hashes (and When to Use Each)
Learn how cryptographic hashing works, generate MD5, SHA-1, SHA-256 and SHA-512 digests in the browser, and know which algorithm fits your task.
Try the toolHash Generator →You need a quick hash to verify a download, generate a cache key, or produce a content fingerprint — but you are not sure whether to reach for MD5, SHA-1, SHA-256 or SHA-512. Getting this wrong ranges from harmless (a slightly slower cache key) to dangerous (using a broken algorithm where security matters). This guide explains what a hash actually is, how the common algorithms differ, and how to produce one correctly.
What a hash function actually does
A cryptographic hash takes an input of any length and produces a fixed-length string of bytes called a digest. The same input always yields the same digest, but the function is one-way: you cannot reverse a digest back into the original data. Good hash functions also have strong collision resistance — it should be computationally infeasible to find two different inputs that produce the same output.
Digest length is fixed per algorithm regardless of input size:
- MD5 — 128-bit (32 hex chars). Fast, but cryptographically broken. Fine for non-security checksums, never for signatures or passwords.
- SHA-1 — 160-bit (40 hex chars). Also broken for collision resistance; avoid for new security work.
- SHA-256 — 256-bit (64 hex chars). The modern default: fast, secure, widely supported.
- SHA-512 — 512-bit (128 hex chars). Larger digest, often faster than SHA-256 on 64-bit hardware.
Generating a hash in JavaScript
Modern browsers ship the SubtleCrypto API, which computes SHA hashes natively — no library needed. Here is a correct, runnable SHA-256 helper:
async function sha256(message) {
const data = new TextEncoder().encode(message);
const buffer = await crypto.subtle.digest('SHA-256', data);
return Array.from(new Uint8Array(buffer))
.map(b => b.toString(16).padStart(2, '0'))
.join('');
}
sha256('hello').then(console.log);
// 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
Swap 'SHA-256' for 'SHA-1', 'SHA-384' or 'SHA-512' as needed. Note that crypto.subtle.digest deliberately does not support MD5, precisely because it is unsafe for cryptographic use — you need a separate implementation for that legacy case.
If you just want the digest without writing code, paste your text into the Hash Generator and it computes MD5, SHA-1, SHA-256 and SHA-512 side by side, entirely in your browser — nothing is uploaded.
A practical walkthrough: verifying a download
Say a project publishes SHA-256: 9f86d0... alongside a release file. To verify integrity:
- Compute the SHA-256 of the file (or its text contents) you downloaded.
- Compare it, character by character, against the published value.
- If they match exactly, the file was not corrupted or tampered with in transit.
Hashes are case-insensitive in hex form but must otherwise match perfectly — a single differing character means the data differs.
Common pitfalls
- Never store passwords with a plain hash. SHA-256 is far too fast; an attacker can try billions of guesses per second. Use a purpose-built, slow algorithm instead — see the Bcrypt Generator.
- Encoding matters. Hashing the string
"héllo"as UTF-8 versus UTF-16 gives different digests. Always agree on an encoding —TextEncoderuses UTF-8, the sensible default. - MD5 is not encryption. A hash cannot be decrypted; if you need to recover the original data, you want Base64 or real encryption, not a hash.
- Do not use MD5/SHA-1 for security decisions such as signatures, deduplication where collisions are attacker-controllable, or integrity against a motivated adversary.
Conclusion
Pick SHA-256 as your default, reach for SHA-512 when you want a longer digest on 64-bit systems, and treat MD5/SHA-1 as legacy checksums only. The math is one-way and deterministic, so once you know the algorithm and encoding, the digest is fully reproducible anywhere. When you just need a digest fast, the browser-based generator does the work locally and privately.