Free Hash Generator and File Verifier
Compute cryptographic hashes of any text or file in your browser. Supports MD5, SHA-1, SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-512, and BLAKE2b. Verify a downloaded file against a published hash to confirm integrity. HMAC mode for keyed message authentication. SHA family runs on the native Web Crypto API; MD5, SHA-3, and BLAKE2 use small audited libraries.
How to use
- 01Hash text: paste the text. Every supported algorithm hashes it instantly. Switch the output format to hex (lower or upper) or base64.
- 02Hash file: drop a file, pick the algorithm, click Compute. Large files are streamed in 4 MB chunks so multi-gigabyte files do not blow up memory.
- 03Verify file: paste the hash published by the source (a Linux ISO mirror, a release note, an email signature). The algorithm is auto-detected from the hash length. The tool computes the file hash and reports MATCH or MISMATCH.
- 04HMAC: enter a message and a secret key, pick HMAC-SHA-256 (or another), and the tag updates as you type.
FAQ
Which algorithms should I use today?▼
For new code: SHA-256 for general hashing, SHA-512 if you want extra collision resistance, SHA3-256 if you specifically need a non-Merkle-Damgard construction. BLAKE2b is faster than SHA-2 in software but less standardized. MD5 and SHA-1 are broken for security but still useful for non-security checks (deduplication, change detection). Never use them for password hashing or signing.
Why are SHA-1 and MD5 still listed?▼
They remain useful as fingerprints (CDN cache keys, file dedup, ETag generation) and you may need them to verify older files where the publisher only released an MD5 or SHA-1. The tool offers them but warns implicitly by listing them after the secure family.
How does the file streaming work?▼
The browser File API exposes the file as a Blob. The tool reads it in 4 MB slices and feeds each slice into the streaming hash context. SHA-1, SHA-256, SHA-384, and SHA-512 use the Web Crypto API which does not support streaming in browsers, so for those the entire file is buffered before hashing. MD5, SHA-3, and BLAKE2 run on streaming JavaScript implementations, so they handle very large files with constant memory.
Is the secret in HMAC mode safe?▼
It stays in your browser memory and is sent to no server. That said, browser memory is shared with extensions and other tabs. If your secret is genuinely sensitive (a production signing key) use it from a trusted server-side context, not a webpage.
What is the difference between hex and base64 output?▼
Same bytes, different encoding. Hex is more readable and what most documentation publishes. Base64 is more compact (4 characters per 3 bytes vs 2 hex characters per byte) and used in JWT, OAuth signatures, and S3 ETags.
Why does my SHA-256 not match the publisher?▼
Common causes: trailing newline added by your editor, hidden BOM at the start of a text file, line endings converted from LF to CRLF on Windows. For binary files this never happens. Always verify the byte count matches the publisher first.