Hash algorithms at a glance
| Algorithm | Output size | Status | Common use |
|---|---|---|---|
| MD5 | 128 bits / 32 hex | Broken for security | Non-adversarial checksums, dedup keys, cache busting |
| SHA-1 | 160 bits / 40 hex | Deprecated | Legacy git object IDs; do not use for new security work |
| SHA-256 | 256 bits / 64 hex | Recommended | File integrity, certificate fingerprints, blockchain |
| SHA-384 | 384 bits / 96 hex | Recommended | TLS certificates, signatures requiring extra margin |
| SHA-512 | 512 bits / 128 hex | Recommended | High-security signatures, password derivation roots |
How to verify a download
When a download page lists a SHA-256 checksum, paste the file into this tool, copy the SHA-256 result, and compare against the published value. If a single character differs the file is not the one the publisher signed and you should not run it.
Hashing is not encryption
Hashing is one-way: you cannot recover the original input from a hash. It is used to fingerprint data, not to hide it. For confidentiality use encryption (AES, age, PGP). For password storage never store raw hashes — use a password-specific key derivation function such as Argon2 or bcrypt with a salt.
FAQ
Are my files uploaded anywhere?
No. Everything runs locally using the Web Crypto API and a client-side MD5 implementation. The page makes no network requests with your data.
Why is MD5 still here if it is broken?
MD5 is still widely used for non-security checksums — for example, AWS S3 ETags, Git LFS, and many file-distribution mirrors. It is fast and small. Just do not rely on MD5 to detect malicious tampering.
Does case matter when comparing hashes?
Hex hashes are case-insensitive. 5d41402abc4b2a76b9719d911017c592 and 5D41402ABC4B2A76B9719D911017C592 represent the same value. Use the uppercase toggle to match the format of whatever you are comparing against.