filemarkr
All ToolsGuides
filemarkr

60+ free developer tools that run entirely in your browser — JSON formatter, JWT decoder, Base64, diff checker, regex tester, hash generator and more. No upload, no sign-up, completely private.

JSON & Data

  • JSON Formatter
  • JSON Minifier
  • JSON Validator
  • JSON to CSV
  • CSV to JSON
  • JSON to YAML

Encode & Decode

  • Base64 Encode / Decode
  • Base64 to Image
  • Image to Base64
  • URL Encode / Decode
  • HTML Entity Encoder
  • JWT Decoder

Text Tools

  • Text Diff Checker
  • Case Converter
  • Word & Character Counter
  • Slug Generator
  • Remove Duplicate Lines
  • Sort Text Lines

Generators

  • UUID Generator
  • Password Generator
  • Lorem Ipsum Generator
  • QR Code Generator
  • Random Number Generator
  • NanoID Generator

Popular Guides

  • How to Format and Pretty-Print JSON (Without Breaking It)
  • How to Minify JSON and Shrink Your API Payloads
  • How to Validate JSON and Pinpoint the Exact Syntax Error
  • How to Convert JSON to CSV for Excel and Google Sheets
  • How to Convert CSV to JSON (With Proper Header Detection)
  • All guides →

Explore

  • All Tools
  • JSON Formatter
  • JWT Decoder
  • Diff Checker
  • UUID Generator

Company

  • About
  • Privacy
  • Terms
  • Sitemap

Our Promise

  • 100% in your browser
  • Zero uploads
  • No sign-up, always free

© 2026 filemarkr. Designed & developed by Naved Naik.  All processing happens locally in your browser.

All guides

Dev Utilities

How to Generate MD5, SHA-256 and SHA-512 Hashes (and When to Use Each)

Learn how cryptographic hashing works, generate MD5, SHA-1, SHA-256 and SHA-512 digests in the browser, and know which algorithm fits your task.

Try the toolHash Generator →

You need a quick hash to verify a download, generate a cache key, or produce a content fingerprint — but you are not sure whether to reach for MD5, SHA-1, SHA-256 or SHA-512. Getting this wrong ranges from harmless (a slightly slower cache key) to dangerous (using a broken algorithm where security matters). This guide explains what a hash actually is, how the common algorithms differ, and how to produce one correctly.

What a hash function actually does

A cryptographic hash takes an input of any length and produces a fixed-length string of bytes called a digest. The same input always yields the same digest, but the function is one-way: you cannot reverse a digest back into the original data. Good hash functions also have strong collision resistance — it should be computationally infeasible to find two different inputs that produce the same output.

Digest length is fixed per algorithm regardless of input size:

  • MD5 — 128-bit (32 hex chars). Fast, but cryptographically broken. Fine for non-security checksums, never for signatures or passwords.
  • SHA-1 — 160-bit (40 hex chars). Also broken for collision resistance; avoid for new security work.
  • SHA-256 — 256-bit (64 hex chars). The modern default: fast, secure, widely supported.
  • SHA-512 — 512-bit (128 hex chars). Larger digest, often faster than SHA-256 on 64-bit hardware.

Generating a hash in JavaScript

Modern browsers ship the SubtleCrypto API, which computes SHA hashes natively — no library needed. Here is a correct, runnable SHA-256 helper:

async function sha256(message) {
  const data = new TextEncoder().encode(message);
  const buffer = await crypto.subtle.digest('SHA-256', data);
  return Array.from(new Uint8Array(buffer))
    .map(b => b.toString(16).padStart(2, '0'))
    .join('');
}

sha256('hello').then(console.log);
// 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Swap 'SHA-256' for 'SHA-1', 'SHA-384' or 'SHA-512' as needed. Note that crypto.subtle.digest deliberately does not support MD5, precisely because it is unsafe for cryptographic use — you need a separate implementation for that legacy case.

If you just want the digest without writing code, paste your text into the Hash Generator and it computes MD5, SHA-1, SHA-256 and SHA-512 side by side, entirely in your browser — nothing is uploaded.

A practical walkthrough: verifying a download

Say a project publishes SHA-256: 9f86d0... alongside a release file. To verify integrity:

  1. Compute the SHA-256 of the file (or its text contents) you downloaded.
  2. Compare it, character by character, against the published value.
  3. If they match exactly, the file was not corrupted or tampered with in transit.

Hashes are case-insensitive in hex form but must otherwise match perfectly — a single differing character means the data differs.

Common pitfalls

  • Never store passwords with a plain hash. SHA-256 is far too fast; an attacker can try billions of guesses per second. Use a purpose-built, slow algorithm instead — see the Bcrypt Generator.
  • Encoding matters. Hashing the string "héllo" as UTF-8 versus UTF-16 gives different digests. Always agree on an encoding — TextEncoder uses UTF-8, the sensible default.
  • MD5 is not encryption. A hash cannot be decrypted; if you need to recover the original data, you want Base64 or real encryption, not a hash.
  • Do not use MD5/SHA-1 for security decisions such as signatures, deduplication where collisions are attacker-controllable, or integrity against a motivated adversary.

Conclusion

Pick SHA-256 as your default, reach for SHA-512 when you want a longer digest on 64-bit systems, and treat MD5/SHA-1 as legacy checksums only. The math is one-way and deterministic, so once you know the algorithm and encoding, the digest is fully reproducible anywhere. When you just need a digest fast, the browser-based generator does the work locally and privately.

More guides

How to Format and Pretty-Print JSON (Without Breaking It)

Read

How to Minify JSON and Shrink Your API Payloads

Read

How to Validate JSON and Pinpoint the Exact Syntax Error

Read

How to Convert JSON to CSV for Excel and Google Sheets

Read