Hash Generator
MD5, SHA-256, SHA-512 and HMAC for text and files, with checksum verification.
100% in your browser. Nothing you type ever leaves this page.
Verify a checksum
HMAC (keyed hash)
Self-test passed: MD5, SHA-256, CRC32 and HMAC verified against known vectors on load.
What you actually use each algorithm for
SHA-256 is the default answer in 2026: file checksums, container image digests, Git's new object format, certificate signatures. SHA-512 is its big sibling, slightly faster on 64-bit CPUs and common in Linux password storage (the crypt variant). SHA-1 survives in legacy Git history and old protocols; treat it as compatibility, not protection, since practical collisions were demonstrated back in 2017. MD5 is the same story five years earlier, yet it remains everywhere as a fast integrity stamp, which is exactly how this tool expects you to use it. CRC32 is not cryptography at all: it catches transmission errors in zip archives and network frames, and it does that one job well.
The verify box is the whole point
The real-world scenario is checking a download. A vendor publishes
sha256: 3f4a... next to an installer; you grab the file, hash it and
compare 64 hex characters by eye, which humans are terrible at. Paste the published
value into the verify box instead: the tool detects the algorithm from the length,
compares the full string and gives you a green match or a red mismatch. A mismatch
means stop. Either the file is corrupted or someone altered it between the vendor and
your disk, and you do not run it to find out which.
One honest limitation worth knowing: a checksum published on the same page as the download only protects against corruption, not compromise. An attacker who can replace the file can usually replace the checksum beside it. Signed releases (GPG, Sigstore, Authenticode) solve that; a checksum from a separate trusted channel is the budget version.
Files never leave your machine
The file mode reads your file with the browser's FileReader and hashes the bytes
locally: SHA variants through the Web Crypto API, MD5 and CRC32 through implementations
that run on this page and validate themselves against
RFC 1321 test
vectors on load. Disconnect from the network after the page loads and everything still
works. For ISO images beyond a few hundred megabytes, use your OS instead:
certutil -hashfile file SHA256 on Windows or
sha256sum file on Linux do not care about browser memory.
HMAC: when a hash needs a key
APIs sign webhooks with HMAC so you can tell a genuine notification from a forged one: Stripe, GitHub and Slack all do a variant of HMAC-SHA256 over the request body. The HMAC panel reproduces that computation so you can debug signature mismatches without pasting production secrets into a random website; this one computes everything locally, and you can verify that claim in your network inspector. The usual mismatch causes are encoding (the body bytes differ from what you think), key confusion (test versus live keys), and hashing the parsed JSON instead of the raw body.
Frequently asked questions
Is MD5 still safe to use?
For security, no: collisions can be manufactured on a laptop, so never use MD5 for passwords, signatures or certificates. For integrity checks against accidental corruption (did this file transfer correctly?), it still works and stays common because it is fast. When you have the choice, publish SHA-256 checksums instead.
Why does my file hash not match the published checksum?
Three usual suspects, in order: the download is genuinely corrupted or incomplete (compare file sizes first), the publisher updated the file without updating the checksum, or you are hashing a different thing than they did (the archive versus the binary inside it, or a text file whose line endings were converted by Git or an FTP client). A mismatch is a stop sign either way: do not run the file until you know which case you are in.
What is the difference between a hash and an HMAC?
A hash fingerprints data; anyone can compute it. An HMAC mixes a secret key into the computation, so only key holders can produce or verify it. That makes HMAC an authenticity check, used to sign API requests, webhooks and JWTs, while a bare hash only proves integrity.
Can I hash large files with this tool?
Yes, up to about 200 MB comfortably. The file is read locally in your browser and never uploaded anywhere. Beyond a few hundred megabytes, browser memory limits make a command line tool the better choice: certutil -hashfile on Windows, sha256sum or shasum -a 256 on Linux and macOS.
Why do CRC32 results sometimes differ between tools?
CRC32 has several variants with different polynomials and parameters. This tool implements the common one (IEEE 802.3, used by zip, gzip and PNG). Tools that implement CRC32C (Castagnoli, used by some filesystems and protocols) will produce different values for the same input. Both are checksums for error detection, not security.