What Is a Cryptographic Hash?
A cryptographic hash function takes any input — a word, a sentence, or a 10GB video file — and produces a fixed-length string of characters called the hash or digest. SHA-256 always produces a 64-character hexadecimal string. SHA-512 always produces 128 characters. The length of the output never changes regardless of how large or small the input is.
The critical property: if you change even a single character of the input, the entire hash changes completely. This makes hashes perfect for verifying that data has not been altered.
Generate hashes instantly with our free Hash Generator.
Common Hash Algorithms
MD5 (128-bit)
Produces a 32-character hash. Fast and widely used historically, but cryptographically broken — attackers can engineer two different files with the same MD5 hash (a collision). Never use MD5 for security purposes. It is still useful for quick non-security file checksums.
SHA-1 (160-bit)
Produces a 40-character hash. Also broken — Google demonstrated a SHA-1 collision in 2017 (the SHAttered attack). Avoid for any new security application.
SHA-256 (256-bit)
Part of the SHA-2 family. Produces a 64-character hash. Considered secure and is the current standard for most applications including TLS certificates, Bitcoin, and software distribution. Use SHA-256 for all new projects.
SHA-512 (512-bit)
Double the output size of SHA-256. Marginally slower but produces a 128-character hash. Use when you need extra margin for high-security applications.
How to Verify a Downloaded File
When you download software from a reputable source, the download page often shows a checksum like this:
SHA-256: a3f5d8e9b2c14f7082d5a9e3c1b4f7d0 ...
To verify your download:
- Download the file
- Go to our Hash Generator
- Click "Hash a file" and select your downloaded file
- Compare the SHA-256 hash shown against the one on the download page
- If they match exactly, your file is authentic and untampered
If even one character differs, do not use the file — it may have been modified by a man-in-the-middle attack or downloaded from a malicious mirror.
What Is HMAC?
HMAC (Hash-based Message Authentication Code) is a hash computed using a secret key. Unlike a regular hash which anyone can verify, only someone with the key can produce the correct HMAC. This is used in API authentication, session tokens, and webhook signatures.
Our Hash Generator includes an HMAC-SHA256 option — enter your message and secret key to generate the authentication code.
Hash Functions in Everyday Technology
- Passwords — Websites store SHA-256 or bcrypt hashes of your password, not the password itself. When you log in, they hash what you type and compare it to the stored hash.
- Bitcoin — The blockchain uses SHA-256 to link blocks together and in the mining proof-of-work algorithm.
- Torrent info-hash — The info-hash that identifies a torrent is the SHA-1 hash of its info dictionary. Our Torrent to Magnet tool computes this.
- Git version control — Every commit, file, and directory in a Git repository is identified by its SHA-1 hash.
- SSL/TLS certificates — HTTPS connections use SHA-256 in certificate signing and the handshake process.
Related Tools
- Base64 Encoder — Encode binary data as text
- Torrent Editor — View and edit torrent info-hashes
- HTTP Headers Checker — Inspect security headers on any website