How to use
- Choose Text to type or paste content, or File to hash something on disk. Text digests recompute as you type; a file is hashed the moment you drop it on the target or pick it through the browser dialog.
- Tick the algorithms you need. MD5, SHA-1, SHA-256 and SHA-512 are on by default; SHA-384, SHA3-256, SHA3-512 and CRC32 are one click away. Each ticked algorithm gets its own row.
- Read the result from the row you want and press Copy beside it. Rows for unticked algorithms stay hidden, so you are never copying the wrong line.
- Turn on Uppercase hex if the checksum you are matching is printed in capitals — this only restyles the display, never the underlying value.
- Use Clear to wipe the input and every digest at once before hashing something new.
How it works
A hash function maps input of any size onto a fixed-length fingerprint. Change a single bit of input and roughly half the output bits flip, so two files that differ anywhere produce wildly different digests — which is exactly what makes a hash useful for spotting a corrupted or tampered download.
Text is first encoded to UTF-8 bytes, and those bytes are what get hashed. For the SHA-1/256/384/512 family this tool hands the bytes to the browser’s native crypto.subtle.digest; MD5, SHA-3 and CRC32 have no WebCrypto equivalent, so they run through the WebAssembly hasher instead. Both paths produce identical hex to any command-line tool.
Take the twelve ASCII characters invoice-4471 — 12 bytes of UTF-8. Its SHA-256 digest is:
7987dee37df3584f3e14ad6a753a24e1732d7f949021998660a6f6b9b99e42cc
That is 64 hex characters, because SHA-256 always emits 256 bits = 32 bytes, regardless of input length. The same 12 bytes through MD5 give 1ee43bee4b5c70e034674a0247a095b1 — 128 bits, 32 hex characters. Retype the input exactly and you will get these strings back every time; append even a trailing space and both change completely.
Use cases & limitations
The everyday job is integrity checking: hash an ISO or installer you just downloaded and compare it against the digest the publisher lists. Developers also use hashes for content addressing (naming a cache entry or asset by its SHA-256), for deduplicating files that share the same fingerprint, and for generating stable identifiers where a random UUID would not be reproducible.
The honest limitation is what a match actually proves. A digest confirms the bytes in front of you are unchanged — it says nothing about whether the source was trustworthy in the first place. If an attacker controls a download mirror, they can serve a malicious file and publish its matching hash right beside it; the comparison passes and you are none the wiser. A hash verifies integrity, not authenticity. When you need to prove a message came from a party holding a shared secret, reach for the HMAC generator instead, and note that a bare hash is never the right way to store a password — check exposure with the password leak checker rather than rolling your own.
Privacy note
Nothing you hash is uploaded. Text is processed in place, and files are read locally in streaming chunks through File.stream() — even a multi-gigabyte disk image never leaves the tab, because only one chunk sits in memory at a time. The native crypto.subtle calls and the WebAssembly hasher both execute entirely inside your browser; there is no request that carries your input off the device. You can confirm this by opening the network tab and hashing a large file: you will see no upload, only the local read.