Text Hash Viewer

Paste text and read off the SHA-256, SHA-1, and MD5 hashes computed locally in your browser via the Web Crypto API. The text never leaves your machine — hashing runs entirely client-side, which matters when the input is sensitive.

SHA-256 is the modern standard and should be your default for anything new — file integrity, tamper detection, password hashing (with proper salt and key-stretching), digital signatures. SHA-1 is deprecated for security uses but still appears in legacy systems. MD5 is broken for security and only useful for non-adversarial integrity checks (checksums on downloads where you trust the source).

Note that hashing is one-way. The hash uniquely identifies the input but doesn't let you recover it. For two-way needs (encryption, encoding), you want a different primitive entirely.

How each algorithm works: hash functions compress arbitrary-length input into a fixed-length output via a deterministic transformation. SHA-256 produces 256 bits (64 hex characters); SHA-1 produces 160 bits (40 hex); MD5 produces 128 bits (32 hex). The same input always produces the same output. Tiny changes in input produce wildly different outputs (the avalanche property) — flip one bit and roughly half the output bits change. The 'one-way' property means computing a hash from input is fast; finding an input that produces a given hash should be computationally infeasible for any cryptographically-secure hash.

Worked example: paste 'hello world.' MD5: 5eb63bbbe01eeed093cb22bb8f5acdc3. SHA-1: 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed. SHA-256: b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9. Now paste 'Hello world' (capital H). All three hashes change completely — that's the avalanche property in action. Now paste a 10MB file's contents (theoretically). All three algorithms still return their fixed-length outputs in milliseconds; the throughput is in hundreds of MB/s on modern CPUs.

Which algorithm to use when: SHA-256 for everything new. SHA-1 when an existing system requires it (Git uses SHA-1 internally, though it's transitioning). MD5 only when speed and ubiquity matter more than security — content addressing, cache keys, file deduplication where attackers can't influence inputs. Never use any of these as a password hashing function alone — passwords need salt + key-stretching (Argon2id, scrypt, bcrypt) so that brute-force attacks against stolen hash dumps are computationally expensive. A raw SHA-256 of a password is crackable in hours by a modern GPU rig; a properly-tuned Argon2id hash takes years.