Hash Generator Guide: SHA-256, MD5, and Data Integrity

What Is a Hash Function?

A cryptographic hash function takes an input of any size and produces a fixed-length output — the hash (also called a digest). Three properties make hash functions useful:

1. Deterministic — the same input always produces the same output
2. One-way — you cannot reverse a hash to recover the original input
3. Avalanche effect — a single character change completely transforms the output

For example, SHA-256 of hello:

2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

SHA-256 of Hello (capital H):

185f8db32921bd46d35cc53c83b94e5d1d3c4af00a30c9e0bef9e0b52fb0e4b3

Completely different. This is the avalanche effect — and it's what makes hashes useful for integrity verification.

Algorithm Comparison

Which to use:

• SHA-256 — the default for most security applications. Used in TLS certificates, Bitcoin, code signing, HMAC authentication
• SHA-512 — preferred when additional margin is needed (key derivation, high-value data)
• MD5 — only for non-security checksums: verifying a downloaded file matches a published hash. Never for passwords, tokens, or signatures
• SHA-1 — avoid for new systems. Only relevant when maintaining legacy integrations

Use Case 1: File Integrity Verification

When you download software, the publisher often provides a SHA-256 hash alongside the download link. After downloading, hash the file and compare:

sha256sum my-download.iso
# Output: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824  my-download.iso

If the hash matches the published value, the file arrived intact and unmodified. If it doesn't, the file was corrupted in transit or tampered with — don't use it.

Our browser-based hasher handles text inputs directly. For files, the SubtleCrypto API processes the binary content without sending bytes anywhere.

Use Case 2: Cache Busting in Web Builds

Content-addressed filenames are a standard technique for cache invalidation. Instead of:

<script src="/app.js"></script>

Build tools generate:

<script src="/app.2cf24dba.js"></script>

The hash in the filename changes whenever the file content changes. Browsers cache the file indefinitely (since the filename includes its hash), but serve new content when the hash changes. Use our generator to compute content hashes during local build experimentation, or to verify that your build tool is computing them correctly.

Use Case 3: Data Deduplication

When storing large collections of files or blobs, hashing lets you identify duplicates without byte-by-byte comparison. Hash each file, store the hash as a key — files with identical hashes are identical content. This is how Git stores objects, how Docker stores image layers, and how backup systems avoid storing the same file twice.

Use Case 4: HMAC — Hashing for Authentication

A plain hash doesn't authenticate the sender — anyone can compute SHA-256 of a message. HMAC (Hash-based Message Authentication Code) adds a secret key:

HMAC-SHA256(key, message) → authentication tag

The receiver recomputes the HMAC using the shared secret. If the tags match, the message came from someone with the secret and wasn't modified in transit. This is the basis of:

• Webhook signature verification (Stripe, GitHub, Slack all use HMAC-SHA256)
• JWT HS256 signatures
• API request signing (AWS Signature Version 4)

Use our Webhook Signature Verifier to test HMAC signatures for webhook endpoints, and our JWT Debugger to inspect HS256-signed tokens.

MD5 Collisions — Why the Algorithm Is Broken

MD5 was broken in 2004 when researchers demonstrated a practical collision attack. In 2008, a team created a rogue CA certificate with an MD5 collision, demonstrating real-world exploitability. Today, computing MD5 collisions takes minutes on consumer hardware.

What this means: an attacker can produce two different files with the same MD5 hash. This completely undermines integrity checking. If someone gives you an MD5 hash of a "legitimate" file, they can swap that file for a malicious one with the same hash.

SHA-1 was broken in 2017 (Google's SHAttered attack). Both are deprecated for security use.

The rule: use SHA-256 or SHA-512 for anything security-relevant. MD5 is only safe as a fast deduplication key where collision resistance isn't a security property.

Why Passwords Require a Different Approach

Hashing passwords with SHA-256 (even with a salt) is dangerous. SHA-256 is designed to be fast — modern hardware computes billions of SHA-256 hashes per second. This makes brute-force attacks practical.

Password storage requires slow hashing algorithms:

These algorithms are intentionally slow, with configurable work factors that increase as hardware gets faster. They're not available in our browser tool — use your backend's password hashing library (bcrypt.js, passlib, golang.org/x/crypto/bcrypt).

Use our Hash Generator for everything else: file verification, checksums, content addressing, testing HMAC payloads, and understanding what different algorithms produce.

Privacy: Why Local Hashing Matters

Hash inputs are often sensitive: pre-hash passwords during testing, API secrets, file contents, database IDs. Sending these to a cloud-based hasher means the unhashed value traverses a network, potentially through logs, proxies, and third-party infrastructure.

Our generator uses the window.crypto.subtle.digest() API — hardware-accelerated, FIPS 140-2 compliant, and entirely local. Nothing leaves your browser tab.

Comparing Hash Outputs

When verifying a published hash against your computed one, use our Text Diff Checker to compare the two strings side-by-side. A single character mismatch is easy to miss visually — the diff checker catches it instantly. Combine with our UUID Generator for generating unique identifiers that accompany hash records in your database or audit logs.