hash-generator.ts × README.md package.json Ln 1, Col 1

Hash Generator

Generate MD5, SHA-1, SHA-256 and SHA-512 hashes from text.

@ local-runtime @ typescript @ 0 deps
$ ./hash-generator ▶ running
// docs / hash-generator.md

The Same Algorithm — Four Very Different Situations

MD5, SHA-1, SHA-256, and SHA-512 are all hash functions, but treating them as interchangeable is a security mistake that has caused real-world data breaches. Each algorithm has a different security status, output length, and appropriate use case. Understanding the distinction takes five minutes and prevents costly errors.

How Hash Functions Actually Work

A cryptographic hash function takes an input of any size and produces a fixed-length output (the "digest") deterministically. Two properties matter most:

  • Pre-image resistance: Given a hash output, it should be computationally infeasible to find an input that produces that output. This is what "one-way" means.
  • Collision resistance: It should be computationally infeasible to find two different inputs that produce the same hash output.

When researchers say MD5 is "broken," they mean its collision resistance has been defeated — it is possible to craft two different files that produce the same MD5 hash. This is catastrophic for digital signatures (an attacker can swap a malicious file for a signed one) but less critical for simple checksums where you control both the input and the hash.

Algorithm Comparison

  • MD5 (128-bit output): Collisions can be computed in seconds on consumer hardware. Do not use for security. Still acceptable for non-security checksums where speed matters and collisions are not a threat model (e.g., database deduplication of user-controlled data).
  • SHA-1 (160-bit output): Google published a practical SHA-1 collision in 2017 (the SHAttered attack). Git historically used SHA-1 for commit identifiers; it is migrating to SHA-256. Do not use for new security applications.
  • SHA-256 (256-bit output): Part of the SHA-2 family, currently considered secure. The standard choice for file integrity verification, HMAC signing, TLS certificates, and most modern cryptographic applications.
  • SHA-512 (512-bit output): Also SHA-2. Larger output and marginally more security margin. On 64-bit processors, SHA-512 is actually faster than SHA-256 due to wider native word operations. Useful when processing large files or when extra margin is warranted.

What Hash Functions Are Not For

Hash functions are not password hashing algorithms. MD5, SHA-256, and SHA-512 are all too fast — they can be computed billions of times per second on a GPU, making brute-force dictionary attacks practical. For passwords, use a purpose-built slow hashing algorithm: bcrypt, Argon2, or scrypt. These are intentionally slow and memory-intensive to make brute-force attacks infeasible.

Using This Tool

  1. Enter or paste your text into the input field.
  2. Select the algorithm: MD5, SHA-1, SHA-256, or SHA-512.
  3. The hash updates instantly as you type.
  4. Copy the hex-encoded digest with one click.

// faq

Can I reverse a hash to recover the original text? +

No — hash functions are one-way by design. However, for short or common inputs (like simple passwords), an attacker can precompute a lookup table (called a rainbow table) of inputs and their corresponding hashes, then look up a hash to find the original input. This is why password hashes must use a unique random salt per user: the salt makes the effective input space too large to precompute.

Why does the same input always produce the same hash? +

Hash functions are deterministic by design — that is the property that makes them useful for verification. If you hash a file before and after transfer, you can confirm the file was not corrupted by checking that the hash matches. If the hash function were non-deterministic, this would be impossible.

Is SHA-256 what Bitcoin uses? +

Yes — Bitcoin's proof-of-work mining involves computing SHA-256 double-hashes (SHA-256 applied twice) of block headers. Miners compete to find an input that produces a hash output below a target value. This is computationally expensive by design. The SHA-256 you generate here is the same underlying algorithm, applied once to your text input.

My API requires an HMAC-SHA256 signature — can I generate that here? +

An HMAC (Hash-based Message Authentication Code) is a hash computed using both the message and a secret key, using a specific construction defined in RFC 2104. A plain SHA-256 hash does not incorporate a secret key, so it is not an HMAC. For HMAC generation, you need a tool that accepts both a key and a message. This tool generates plain hash digests only.

main ⚡ 6 tools Ln 1, Col 1 UTF-8 LF TypeScript