Hash Generator and File Checksum | SHA-256 and MD5

EncodingRuns in Your Browser (No Uploads)

Generate MD5, SHA-1, SHA-256, and SHA-512 digests from UTF-8 text or the exact bytes of a local file. Compare a complete expected checksum in the browser without sending the input or file to a conversion server.

What to do next

Continue with a related workflow or open the next tool that usually follows this task.

How to Use This Tool

Choose Text for UTF-8 input or File for exact binary bytes.

Enter up to 10,000,000 UTF-8 bytes of text or select one local file up to 100 MiB.

Generate MD5, SHA-1, SHA-256, and SHA-512; Text mode can update after you stop typing.

Choose the publisher's algorithm and paste the complete expected hexadecimal checksum.

Read the explicit match, mismatch, or invalid-format result, then copy the calculated digest if needed.

Also confirm the filename, version, size, and trusted source before running a downloaded file.

When to Use This Tool

Release file verification

Hash an archive or installer as exact bytes and compare every character with an official release checksum.

Transfer integrity checks

Confirm that a backup or shared artifact retained identical bytes after transfer, while separately validating its source.

Webhook and API debugging

Hash an exact UTF-8 payload or canonical request string to isolate encoding and line-ending differences.

Fingerprints and deduplication

Create stable content fingerprints for duplicate detection, snapshot comparisons, and fixture identifiers.

Hash-function learning

Observe digest lengths, collision guidance, and the avalanche effect without treating hashing as encryption.

Legacy checksum compatibility

Compare legacy MD5 or SHA-1 values only when an older system requires them, with the weakness visible in the result.

Common Mistakes

Using MD5 or SHA-1 for security

MD5 and SHA-1 are broken for collision resistance. Keep them for legacy compatibility only, not security decisions.

Hashing passwords directly

Passwords need a slow, salted password hash such as Argon2, bcrypt, or scrypt. A raw SHA digest is too fast for password storage.

Comparing different input bytes

Whitespace, line endings, text encoding, and file changes alter the bytes and therefore produce a different digest.

Treating a match as a safety certificate

A matching digest proves byte equality with the expected value, not that the publisher is trustworthy or the file is malware-free.

Using a partial or untrusted checksum

Verification must compare the full digest from a trusted source. A short prefix or a checksum from the same untrusted mirror is weak evidence.

Examples

Create a SHA-256 release checksum

Hash a release manifest string as UTF-8 and compare all 64 SHA-256 hexadecimal characters.

Input
web-utils-release-2026-05-13
Output
SHA-256: d36a4170ae98dcf5050e74ae158ca5693ade7c3853370ee27907db4f6b557253

Hash a binary release archive

File mode hashes the original bytes, including null bytes and non-text data, rather than decoding a binary file as text.

Input
archive.zip (exact local file bytes)
Output
Four canonical lowercase hexadecimal digests

See the avalanche effect

One changed character creates a different digest, which helps expose copied or edited payload differences.

Input
invoice-total=1250
invoice-total=1251
Output
Each line produces a different digest.

How exact-byte checksums work

A cryptographic hash maps arbitrary input bytes to a fixed-length digest. Text mode first encodes text as UTF-8; file mode hashes the selected file's original bytes without text decoding.

Determinism makes a digest useful for comparison, while the avalanche effect makes small byte changes produce very different output. A digest is not encryption and cannot be decoded back to the source.

Use SHA-256 or SHA-512 for modern integrity checks. MD5 and SHA-1 remain available for legacy compatibility but have known collision weaknesses.

A checksum authenticates nothing by itself. Its evidence is only as trustworthy as the channel that supplied the expected value.

Frequently Asked Questions

Is hashing encryption, and can I reverse a hash?

No. Hashing is one-way, while encryption is reversible with the correct key. A cryptographic digest cannot be decoded back to its source.

Which algorithm should I use?

Use SHA-256 or SHA-512 for modern integrity checks. Keep MD5 and SHA-1 only when a legacy source requires that exact algorithm.

Can two different inputs have the same hash?

Yes. Practical collisions are known for MD5 and SHA-1. No practical collision attack is generally known for SHA-256 or SHA-512, but a digest still does not authenticate its source.

Can I store passwords with SHA-256?

No. Use a dedicated, salted password-hashing function such as Argon2, bcrypt, or scrypt with parameters selected for your system.

Does this tool upload my text or file?

The tool reads text and file bytes locally and does not send them to a conversion server. Consent-aware analytics may receive only the input kind, byte count, algorithm count, duration, and an error category, never the text, file name, file bytes, expected checksum, or calculated digest.

Does file mode hash exact binary bytes?

Yes. File mode reads the original bytes with ArrayBuffer, so binary data is not decoded as text. The current browser-memory safety limit is 100 MiB per file.

Does a match prove a download is safe?

No. A match means the local bytes equal the bytes represented by the expected checksum. Confirm that the value came from an official release page, signed checksum file, or another trusted channel.

Which expected-checksum formats are accepted?

Paste one complete hexadecimal digest for the selected algorithm. Uppercase and a matching prefix such as SHA-256: are accepted. Filenames, internal spaces, shortened values, and non-hex characters are rejected.

How This Tool Was Verified

Maintained and tested by Reviewed

Method: For the File Hash & Checksum Generator review, we preserved the source shown in “Verify a known three-byte file” and completed “Select exact file mode” and “Confirm the file identity”. The produced output was compared literally where possible, with “Comparing different algorithms” and “Trusting a checksum from the same unsafe source” checked against the linked failure evidence.

Expected result: The original bytes 61 62 63 produced the known SHA-256 vector ba7816bf…15ad, and comparisons using another algorithm or altered bytes did not pass.

Sources and standards

Open the tested workflow

Related workflow guides

Use these focused guides when you need a practical workflow before opening the tool.

Related Tools

Continue with another maintained workflow

Browse All Tools