How do I verify a SHA-256 checksum?

Switch to File mode, drag your downloaded file in, select SHA-256, and compare the output to the checksum on the download page. An exact match means the file is genuine.

What is HMAC used for?

HMAC (Hash-based Message Authentication Code) adds a shared secret key to a hash. It is used for API request signing, webhook payload verification, and ensuring message integrity.

What is a rainbow table attack?

A rainbow table is a precomputed lookup table mapping hashes to their original values. Adding a unique random salt per password makes rainbow tables ineffective, which is why bcrypt and Argon2 include salting automatically.

Can I reverse a hash?

No. Cryptographic hashes are one-way functions — you cannot compute the original input from the hash output. Only brute force or rainbow table attacks can crack weak passwords. Strong passwords with proper salt are computationally infeasible to crack.

How do I verify a file's integrity using its checksum?

Download the file, then drag it into the Hash Generator in File mode. Select SHA-256 (or whichever algorithm the publisher used) and compare the output to the published checksum. Any difference means the file may be corrupted or tampered with.

What is the difference between SHA-256 and SHA-512?

SHA-256 produces a 256-bit (32 byte) digest; SHA-512 produces a 512-bit (64 byte) digest. Both are secure. SHA-512 is slightly faster on 64-bit processors but produces a longer output. SHA-256 is the most commonly used standard.

How do I generate a SHA-256 hash in JavaScript?

Use the Web Crypto API: const buffer = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(text)); then convert to hex with Array.from(new Uint8Array(buffer)).map(b => b.toString(16).padStart(2,"0")).join("").

How do I generate an MD5 hash in Python?

import hashlib; hashlib.md5(b"hello").hexdigest(). For SHA-256: hashlib.sha256(b"hello").hexdigest(). For files: hash a file in chunks using hashlib.sha256() with file.read(65536) in a loop.

What is Argon2 and why is it better than MD5 for passwords?

Argon2 is a memory-hard password hashing algorithm designed to resist GPU and ASIC attacks. MD5 is a general-purpose hash — extremely fast and computationally cheap, making it trivial to brute-force passwords. Never use MD5 or SHA-256 directly to hash passwords; always use bcrypt, Argon2, or scrypt.

Is it safe to hash files in the browser?

Yes. This tool uses the Web Crypto API built into your browser. Files are read locally using JavaScript and never uploaded to any server. Even very large files (up to several GB) are processed entirely on your device.

Hash Generator — MD5, SHA-256, SHA3, BLAKE2, File Checksum, HMAC & Password Hashing Online Free

What Is a Hash Generator?

A hash generator turns any input — text or file — into a fixed-length fingerprint called a hash or checksum. The same input always produces the same hash; a single-bit change produces a completely different one. Hashes are used for integrity checks, digital signatures, password storage, API signing, and verifying downloads.

How it works

Generate Any Hash in Seconds

Paste text or drop a file

Type directly, paste a string, or drag a file of any size into the File tab.

Pick an algorithm

Choose MD5, SHA-256, SHA3, BLAKE2, HMAC, bcrypt, Argon2, and more.

Copy the hash

Output updates instantly. Copy the hex, Base64, or binary result.

Verify with one click

Paste an expected hash into Verify mode for constant-time comparison.

Use cases

When to Use Each Hash Algorithm

✅

Verify File Downloads

Drop a file in File mode, select SHA-256, compare against the published checksum.

🔑

API & Webhook Signing

Use HMAC-SHA256 to sign request payloads and verify GitHub, Stripe, or Shopify webhooks.

🔒

Password Hashing

Hash passwords with bcrypt or Argon2 — slow by design, salted, and resistant to brute force.

🗂️

Content ETags

Generate MD5 or SHA-1 checksums for cache ETag headers.

🛡️

Data Integrity

Hash config files or build artifacts to detect unauthorized changes.

📊

Deduplication

Use SHA-256 to fingerprint data blobs and deduplicate storage.

MD5 vs SHA-1 vs SHA-256 vs SHA3 vs BLAKE2

Algorithm	Output	Security	Best for
MD5	128-bit	❌ Broken	Cache keys, non-security ETags
SHA-1	160-bit	⚠️ Deprecated	Legacy only
SHA-256	256-bit	✅ Recommended	File verification, signing, TLS
SHA3-256	256-bit	✅ Modern	SHA-2 alternative
BLAKE2b	256–512-bit	✅ Fast & secure	Performance-critical hashing
bcrypt	variable	✅ For passwords	Password storage
Argon2	variable	✅ Best-in-class	New app password hashing

HMAC for API Signing and Webhook Verification

HMAC (Hash-based Message Authentication Code) combines a message with a secret key to produce a value only the key-holder can reproduce. Platforms like GitHub, Stripe, Shopify, and Twilio sign webhook payloads with HMAC-SHA256. Paste the payload and your secret into the HMAC tab to generate or verify a signature — all without sending your secret to any server.

FAQ

Frequently Asked Questions

1How do I verify a downloaded file's SHA-256 checksum?

Switch to File mode, drag your downloaded file in, select SHA-256. Compare the output against the checksum on the download page. Use Verify mode to paste the expected checksum and have the comparison done for you.

2What is the difference between MD5 and SHA-256?

MD5 is 128-bit and cryptographically broken — collision attacks exist. SHA-256 is 256-bit and the current recommended standard for file verification, signing, and TLS. Use SHA-256 for all security-related hashing.

3What is HMAC and when do I need it?

HMAC adds a secret key to a hash so only someone with the same key can reproduce the value. Use it for API request signing, webhook verification (GitHub, Stripe, Shopify), and anywhere you need integrity plus authenticity.

4bcrypt vs Argon2 — which should I use for passwords?

Both are slow, salted, and brute-force-resistant. Argon2 won the Password Hashing Competition in 2015 and is the current recommendation for new applications. bcrypt is still widely used and secure. Never use MD5 or plain SHA-256 for passwords.

5Is it safe to hash sensitive files or text here?

Yes. All hashing runs entirely in your browser using the Web Crypto API. Your files and text are never uploaded or sent to any server.

6What is constant-time hash comparison?

Comparing hashes character-by-character leaks timing information (early exit on first mismatch). Constant-time comparison takes the same time regardless of where hashes differ, preventing timing attacks. This tool's Verify mode uses constant-time comparison.

Learn more

Developer Guides

📖Hashing & Security Guide 📖API Security Best Practices 📖Encoding in REST APIs 📖Debugging Data Integrity

Feedback for hash_generator

Tell us what's working, what's broken, or what you wish we built next — it directly shapes our roadmap.

You make the difference

Good feedback is gold — a rough edge you hit today could be smoother for everyone tomorrow.

Feature ideas often jump the queue when lots of you ask.
Bug reports with steps get fixed faster — paste URLs or examples if you can.
Name and email are optional; we won't use them for anything except replying if needed.

Stay Updated

Get the latest tool updates, new features, and developer tips delivered to your inbox.

What you'll get

Product updates & new tools
JSON, API & developer tips
Unsubscribe anytime — no hassle

Get in touch

Feature ideas, bugs, or a quick thanks — we read every message.

support@unblockdevs.com

Hash Generator

Related tools