Hash Generator.
MD5, SHA-1, SHA-256, SHA-384, SHA-512, plus CRC-32 and Adler-32 for non-cryptographic integrity checksums. Text or files up to 2 GB, streamed in chunks so your tab doesn't freeze. Hex or Base64 output. Everything happens in your browser — the input never leaves your machine.
Paste an expected hash + the source (text or a file below) and check if they match. Useful for verifying downloads, package integrity, or checksums on the side of an installer.
Which hash function should you use?
CRC-32 and Adler-32 are non-cryptographic. They are 4-byte integrity checksums designed for speed, not collision resistance. CRC-32 appears in ZIP file entries, PNG chunks, Ethernet frames, and rsync blocks; Adler-32 is what zlib and rsync use for file-level integrity. They are great for detecting accidental corruption during transfer. They are useless for detecting intentional tampering — forging a collision takes seconds.
File integrity (download checksums, cache keys, deduplication): SHA-256 is the modern default. MD5 and SHA-1 still appear on legacy download pages and work fine for integrity in the absence of an adversary; use whichever the source publishes.
Password storage: None of these. Use a dedicated password-hashing KDF — Argon2id, bcrypt, or scrypt — with a per-password salt and tunable cost factor. A plain SHA-256 of a password can be brute-forced at tens of billions of attempts per second on a modern GPU.
Digital signatures, HMAC, certificates: SHA-256 minimum; SHA-384 or SHA-512 if you're in a compliance environment that mandates them. Never SHA-1 (chosen-prefix collisions have been practical since 2020). Never MD5 (collisions have been practical since 2005).
Git commit IDs: Historically SHA-1. The Git project has a SHA-256 migration path (git --object-format=sha256) but adoption is slow. When you're comparing Git commit hashes, SHA-1 hex is what you're looking at.