Hash Generator Guide: SHA-256, MD5, and More — When to Use Each

DevToolbox

Generate SHA-256, MD5, SHA-1, and SHA-512 hashes online. Learn how hashing works, which algorithm to pick, and common use cases — privately in your browser.

Hash functions are one of the most fundamental concepts in computer science. They power everything from password storage and data integrity checks to blockchain and digital signatures. If you've ever downloaded a file and compared checksums, or wondered how your password is stored in a database, you've used hash functions.

This guide covers the most common hash algorithms — SHA-256, MD5, SHA-1, and SHA-512 — explains when to use each, and walks through practical examples. Need a quick hash? Our Hash Generator computes hashes instantly in your browser — no data ever leaves your device.

What Is a Hash Function?

A hash function takes input of any size and produces a fixed-size output (the "hash" or "digest"). Good cryptographic hash functions have these properties:

  • Deterministic: The same input always produces the same hash.
  • Fast to compute: Generating a hash takes minimal time.
  • One-way: You cannot reverse-engineer the input from the hash.
  • Avalanche effect: A tiny change in input produces a completely different hash.
  • Collision-resistant: It's practically impossible to find two different inputs that produce the same hash.

The Avalanche Effect in Action

SHA-256("hello")
→ 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

SHA-256("Hello")  // just one capital letter different
→ 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

The outputs are completely different — there's no way to tell the inputs were similar just by looking at the hashes.

Common Hash Algorithms Compared

MD5 (128-bit)

MD5("hello") → 5d41402abc4b2a76b9719d911017c592
  • Speed: Very fast
  • Security: Broken — collision attacks are practical
  • Use for: Checksums, non-security file deduplication, cache keys
  • Don't use for: Passwords, digital signatures, security tokens

SHA-1 (160-bit)

SHA-1("hello") → aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
  • Speed: Fast
  • Security: Weakened — collision attacks demonstrated (SHAttered, 2017)
  • Use for: Legacy systems, Git commit hashes (migrating to SHA-256)
  • Don't use for: New security applications

SHA-256 (256-bit)

SHA-256("hello") → 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
  • Speed: Moderate
  • Security: Strong — no known practical attacks
  • Use for: Data integrity, digital signatures, blockchain, HMAC
  • Recommended: The current standard for most applications

SHA-512 (512-bit)

SHA-512("hello") → 9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca7...
  • Speed: Faster than SHA-256 on 64-bit systems
  • Security: Strong — same family as SHA-256 but larger digest
  • Use for: When you need extra security margin or larger digests

When to Use Each Algorithm

File integrity/checksums → SHA-256 (or MD5 if non-security)
Password hashing        → bcrypt, scrypt, or Argon2 (NOT raw SHA/MD5!)
Digital signatures      → SHA-256 or SHA-512
HMAC authentication     → HMAC-SHA256
Blockchain              → SHA-256
Git commits             → SHA-1 (migrating to SHA-256)
Cache keys              → MD5 or SHA-256
Content deduplication   → SHA-256

Hashing in Practice

File Integrity Verification

When you download software, the publisher often provides a SHA-256 checksum. You can verify the download wasn't corrupted or tampered with:

# Linux/macOS
sha256sum downloaded-file.tar.gz
# Compare output with the published checksum

# Or verify directly
echo "expected_hash  downloaded-file.tar.gz" | sha256sum --check

API Request Signing (HMAC)

HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to verify both integrity and authenticity:

// JavaScript — signing an API request
const crypto = require('crypto');
const signature = crypto
  .createHmac('sha256', apiSecret)
  .update(requestBody)
  .digest('hex');

// Add to request header
headers['X-Signature'] = signature;

Try our HMAC Generator to compute HMAC signatures instantly.

Generating Hashes in Different Languages

JavaScript (Browser)

async function sha256(message) {
  const msgBuffer = new TextEncoder().encode(message);
  const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}

const hash = await sha256("hello");

Python

import hashlib

# SHA-256
hash_hex = hashlib.sha256(b"hello").hexdigest()

# MD5
md5_hex = hashlib.md5(b"hello").hexdigest()

# SHA-512
sha512_hex = hashlib.sha512(b"hello").hexdigest()

# Hash a file
with open("file.bin", "rb") as f:
    file_hash = hashlib.sha256(f.read()).hexdigest()

Command Line

# SHA-256
echo -n "hello" | sha256sum

# MD5
echo -n "hello" | md5sum

# SHA-512
echo -n "hello" | sha512sum

# Hash a file
sha256sum myfile.txt

Password Hashing: Why Regular Hashes Are NOT Enough

This is the single most important thing to understand about hashing: never use MD5, SHA-1, or even SHA-256 directly for passwords.

Why? Because they're too fast. An attacker with a GPU can compute billions of SHA-256 hashes per second, making brute-force attacks trivial.

Instead, use purpose-built password hashing algorithms:

  • bcrypt: The industry standard. Configurable work factor. Try our bcrypt hasher.
  • scrypt: Memory-hard — resists GPU attacks.
  • Argon2: The modern winner (Argon2id is recommended). Memory-hard and GPU-resistant.
// Node.js — bcrypt
const bcrypt = require('bcrypt');
const hash = await bcrypt.hash("userPassword", 12);
const isMatch = await bcrypt.compare("userPassword", hash);

Common Mistakes

1. Using MD5 for Security

MD5 collisions can be generated in seconds. Never use MD5 for anything security-related.

2. Hashing Passwords Without Salt

Without a unique salt per password, identical passwords produce identical hashes, enabling rainbow table attacks. Always use a unique random salt (bcrypt/Argon2 do this automatically).

3. Confusing Hashing with Encryption

Hashing is one-way — you cannot get the original data back. Encryption is two-way — with the key, you can decrypt. If you need to recover the original data, use encryption, not hashing.

Generate Hashes Instantly

Our Hash Generator computes MD5, SHA-1, SHA-256, and SHA-512 hashes in real-time. Paste your text or upload a file, and get all hash values at once. Everything runs in your browser — your data never touches our servers.

Need HMAC? Use the HMAC Generator. Need password hashing? Try the Bcrypt Hasher.

Summary

Hash functions are essential for data integrity, authentication, and security. Use SHA-256 as your default for general-purpose hashing, bcrypt/Argon2 for passwords, and HMAC-SHA256 for message authentication. Never use MD5 or SHA-1 for security-critical applications.

For quick hash computation, DevToolbox's Hash Generator is always available — free, private, and instant.

🛠️ Related Tools

Hash GeneratorHMAC GeneratorBcrypt Hasher
← Back to all articles