A practical guide to hashing algorithms for developers — SHA-256, MD5, SHA-1, SHA-512. When to use them, when not to, and how an online hash generator speeds up your workflow.
Last month I spent an embarrassing amount of time debugging a webhook integration. The HMAC-SHA256 signature my server was generating didn't match what the third-party docs showed. Turned out I was hashing the wrong part of the payload. Knowing the expected hash upfront — just by pasting the string into a hash tool — would have cut that debugging session from 2 hours to about 5 minutes.
Hashing comes up constantly: checking file integrity, debugging HMAC signatures, verifying that two config files are actually identical, generating cache keys, or just quickly confirming that a database stored a value correctly. An online hash generator is one of those tools you don't think about until you really need it, and then you use it every single day.
Here's the short version. MD5 produces a 128-bit hash (32 hex chars). SHA-1 gives you 160 bits (40 hex chars). SHA-256 outputs 256 bits (64 hex chars). SHA-512 doubles that to 512 bits (128 hex chars). Longer output = more collision resistance, but all four are deterministic — same input always gives same output.
MD5 and SHA-1 are cryptographically broken. Researchers can produce deliberate collisions — two different inputs with the same hash. That's a big deal for security-sensitive stuff. But for non-security use cases — file checksums to detect accidental corruption, cache keys, quick data deduplication — MD5 is still perfectly fine and fast. Don't let the 'broken' label scare you away from it when the threat model doesn't involve adversaries.
SHA-256 is the current workhorse. TLS certificates, Git object IDs, Bitcoin block headers, AWS request signing — they all use SHA-256. If you're not sure which algorithm to pick, SHA-256 is the safe default. SHA-512 is useful when you need more output bits, but it's overkill for most situations.
Quick warning: SHA-256 and MD5 are terrible for hashing passwords. Don't do it. These algorithms are designed to be fast, which is exactly what you don't want for passwords — it makes brute-force attacks trivial. For passwords, use bcrypt, Argon2, or scrypt. Those are slow by design and include salting built-in.
The hash generator here is for everything that's not password storage: HMAC verification, file integrity, generating deterministic IDs, comparing payloads, or just satisfying your curiosity about what SHA-256('hello') actually looks like. (It's 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824, by the way.)
Webhook signature verification is probably the most common one. GitHub, Stripe, Shopify — they all send an HMAC-SHA256 signature with each webhook so you can confirm it came from them and wasn't tampered with. When I'm setting up a new integration, I'll paste a sample payload into the hash tool with the secret key just to sanity-check my implementation before the first real event fires.
File integrity checks are the other big one. Downloaded a binary from the internet and there's a SHA-256 checksum on the release page? Drop the file in the tool and compare. I also use this at work when someone sends config files over Slack and claims they're identical to what's in the repo — a quick hash comparison settles the argument in seconds.
Cache keys and ETags are another good fit. If you're building a caching layer and need a stable key from arbitrary content, hashing is the right approach. SHA-256 of the serialized content gives you a collision-resistant, fixed-length string that works as a cache key or ETag header value.
Generating deterministic IDs from content is surprisingly useful. Instead of a random UUID, sometimes you want an ID that's stable — same input always yields same ID. Hash the content, take the first 16 chars, done.
// Webhook HMAC-SHA256 verification (Node.js)
const crypto = require('crypto');
function verifyWebhookSignature(payload, secret, receivedSig) {
const expected = crypto
.createHmac('sha256', secret)
.update(payload, 'utf8')
.digest('hex');
// Timing-safe comparison — important for security
return crypto.timingSafeEqual(
Buffer.from(expected, 'hex'),
Buffer.from(receivedSig, 'hex')
);
}It's pretty straightforward. Paste your string, pick your algorithm, get the hash. A couple of things worth knowing: the tool hashes the exact string including whitespace. If you're getting a different hash than expected, a trailing newline is usually the culprit — command-line tools like `echo` add one by default. Try `echo -n 'yourstring' | sha256sum` in your terminal if you want to match exactly.
The tool also supports file hashing (drag and drop) which is handy for the checksum verification use case. All hashing happens client-side — nothing leaves your browser. Useful to know if you're working with anything sensitive.
For production code, obviously you're using your language's crypto library. Python has `hashlib`, Node has `crypto`, Go has `crypto/sha256`. The online tool isn't replacing that. What it does replace is the little scratch-pad moments: verifying your understanding of an algorithm, checking a hash you see in logs, testing what encoding matters (hex vs base64 output), or walking a teammate through what HMAC actually does.
Sometimes the fastest way to understand a bug is to reproduce the expected value manually. If your code produces `abc123...` but the vendor expects `def456...`, pasting the raw input into a tool tells you immediately whether the issue is the algorithm choice, the encoding, or the key.
import hashlib
# SHA-256 of a string
text = "hello world"
h = hashlib.sha256(text.encode('utf-8')).hexdigest()
print(h)
# b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576b4b7e0da8d43b9e5... wait
# Actually:
# hashlib.sha256(b"hello world").hexdigest()
# => 'b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576b4b7e0da8d43b9e5'
# Note: "hello" (no space) gives a different hash entirely
# This is why the online tool is handy for quick checksYes. SHA-256 has no known practical attacks and remains the standard for cryptographic use cases. It\'s used in TLS, Git, Bitcoin, and most modern security protocols. SHA-3 exists but hasn\'t replaced SHA-256 in practice.
No — hashing is a one-way function by design. You can't reverse it mathematically. The only way to 'crack' a hash is brute-force: try every possible input until one matches. For short strings, rainbow tables make this feasible, which is why passwords need salting.
For file integrity against accidental corruption (not malicious tampering), MD5 is still fine. 'Broken' means someone can deliberately craft a collision — two different files with the same MD5. If you're just checking a downloaded file wasn't corrupted in transit, that threat doesn't apply. For security-sensitive verification, use SHA-256.
A hash is just a fingerprint of data. An HMAC (Hash-based Message Authentication Code) is a hash computed with a secret key mixed in. HMACs let you verify both integrity and authenticity — that the data wasn't changed AND that whoever sent it knew the secret key.
Almost always a newline issue. `echo 'hello' | sha256sum` includes a trailing newline in the input. Use `echo -n 'hello' | sha256sum` to hash without it. The online tool hashes exactly what you type — no hidden characters.
Founder of CodeUtil. Web developer building tools I actually use. When I'm not coding, I experiment with productivity techniques (with mixed success).
Learn why password hashing matters, why MD5 is broken for security, how SHA-256 differs, and why bcrypt and Argon2 are the right choice for storing passwords. Understand rainbow tables, salting, and modern best practices.