Hashing, Quick Facts
- •A hash function turns any input, however large, into a fixed-length fingerprint (128 bits for MD5, 256 bits for SHA-256, and so on).
- •The same input always produces the exact same hash; changing even one character produces a completely different result (the avalanche effect).
- •MD5 and SHA-1 are cryptographically broken: collisions have been demonstrated, so neither should be used for passwords or security-critical signatures anymore.
- •For password storage, use a purpose-built algorithm like bcrypt, scrypt, or Argon2, never a raw hash like these, they are far too fast to brute-force.
The Real Problem This Solves
Downloaded a file and want to confirm it hasn't been corrupted or tampered with? Comparing byte-by-byte is impractical, comparing a short hash is instant.
Developers also use hashes to fingerprint strings for caching keys, detect duplicate content, or verify that two pieces of text are identical without storing the text itself.
How Hash Functions Work
A hash function processes your input through a fixed sequence of mathematical operations, bit shifts, XORs, modular additions, that mix every input bit into every output bit. The result is deterministic (same input, same output) but effectively irreversible: you cannot practically reconstruct the original input from the hash alone.
Example: Hashing "CalculatorWala" and "calculatorwala" (just one letter's case changed) with SHA-256 produces two completely unrelated 64-character hex strings, there's no partial similarity, which is exactly what makes hashes reliable for detecting even a single-character change.
| Algorithm | Output Length | Status |
|---|---|---|
| MD5 | 128 bits (32 hex chars) | Broken, avoid for security |
| SHA-1 | 160 bits (40 hex chars) | Broken, deprecated by browsers/CAs |
| SHA-256 | 256 bits (64 hex chars) | Secure, current industry standard |
| SHA-512 | 512 bits (128 hex chars) | Secure, used for a larger digest |
Frequently Asked Questions
Can a hash be reversed back to the original text?
No, not directly. Hash functions are one-way by design. The only way to "reverse" one is to guess inputs and hash them until you find a match, a brute-force or dictionary attack, which is why weak, guessable inputs like short passwords are vulnerable even though the hash itself cannot be mathematically inverted.
Why shouldn't I use MD5 or SHA-1 for security?
Both have known collision attacks, meaning two different inputs can be crafted to produce the same hash, which breaks their use in digital signatures and certificate validation. They're still fine for non-security uses like checksums or cache keys.
Which algorithm should I use for password hashing?
None of the ones on this page. Passwords need a slow, salted algorithm designed to resist brute-forcing, like bcrypt, scrypt, or Argon2. Fast general-purpose hashes like SHA-256 can be brute-forced at billions of guesses per second on modern hardware.
Why do two similar pieces of text sometimes look similar in their hash?
They don't, meaningfully. Any visual similarity is coincidental; well-designed hash functions ensure a one-character input change flips roughly half the output bits.
Is this hash generated locally or sent to a server?
Entirely locally. MD5 runs via a pure JavaScript implementation, and the SHA family runs via your browser's built-in Web Crypto API, both entirely in your browser. Nothing is uploaded.
Need a random identifier instead of a fingerprint?
A hash is deterministic, same input, same output. If you need a unique, unpredictable ID instead, generate one with our UUID Generator.
Open UUID Generator →