How to Hash a String with SHA-256 Online (Free, Client-Side)
Generate SHA-256, SHA-1, MD5, and SHA-512 hashes in your browser. Free, instant, runs entirely client-side — no strings leave your device.
What a cryptographic hash is
A hash is a one-way function: input → fixed-size output (the hash or digest). The same input always produces the same hash. Different inputs produce different hashes with overwhelming probability. You cannot reverse a hash to recover the input. The hash generator computes SHA-256 (default), SHA-1, MD5, and SHA-512 on anything you paste.
When to use which algorithm
| Algorithm | Size | Status | Use for |
|---|---|---|---|
| SHA-256 | 256 bits / 64 hex chars | Current standard | General-purpose hashing, file integrity, blockchain |
| SHA-512 | 512 bits / 128 hex chars | Current standard | Password storage (with salt + work factor) |
| SHA-1 | 160 bits | Broken (2017) | Git commits only; not for security |
| MD5 | 128 bits | Broken (2004) | Non-security checksums only; never for passwords |
| bcrypt/argon2 | Variable | Password-specific | Password storage — what you actually want for user DBs |
Why raw SHA-256 is wrong for password storage
SHA-256 is fast. That's a feature for file integrity and a bug for password storage — attackers can compute billions of SHA-256 hashes per second and dictionary-attack your user DB. Password-specific algorithms (bcrypt, scrypt, argon2) are deliberately slow and include a per-user salt. Use the hash generator for fingerprints and integrity checks; use a dedicated library (or your auth provider) for passwords.
Common real uses of SHA-256
- File integrity — confirm a download matches its published hash (Linux ISOs, software releases)
- Git — every commit ID is a SHA-1 of commit content (migrating to SHA-256)
- Blockchain — Bitcoin mining computes SHA-256 hashes by the quintillion
- HMAC signing — API request signing combines SHA-256 with a secret key
- Content addressing — IPFS, Docker image layers, and content-delivery systems identify data by hash
- Deduplication — detect identical files without comparing byte-by-byte
The avalanche property
Change one bit of input; roughly half the bits of the hash flip. That's why hash("hello") and hash("Hello") look completely unrelated despite differing by a single letter. You can test this yourself by toggling one character in the input and watching every algorithm's output change completely.
Collisions and real-world impact
Two different inputs producing the same hash is a "collision." For MD5, researchers have produced colliding files on commodity hardware; for SHA-1, in 2017 Google published a practical collision. SHA-256 has no known collision attack better than brute force (2¹²⁸ operations — infeasible). When you see "SHA-1 deprecated" warnings, this is why.
Runs entirely in your browser
The tool uses the browser's SubtleCrypto API for SHA variants and a small WebAssembly module for MD5. Your input never leaves your device — verify by watching the Network tab in DevTools. Related: UUID generator for random IDs, password generator for actual password generation.
Featured Tools
Try these free tools directly in your browser — no sign-up required.
Hash Generator
Generate cryptographic hashes for any text using MD5, SHA-1, SHA-256, SHA-512, and more. Verify data integrity and create checksums instantly online.
Base64 Encoder / Decoder
Encode text or decode Base64 strings instantly online. Convert between plain text and Base64 encoding for data URLs, authentication headers, and API tokens.
UUID Generator
Generate UUID v1, v4, and v5 universally unique identifiers instantly. Create single or bulk UUIDs for databases, APIs, and distributed systems.
Password Generator
Generate strong, random passwords of any length with custom rules. Choose uppercase, lowercase, numbers, and symbols for maximum security.