How to generate a SHA-256 hash of any text
You need the SHA-256 hash of a string: to verify a download against a published checksum, to build a cache key, or just to check what a piece of data hashes to. Paste the text into the Hash Generator and it produces SHA-1, SHA-256, SHA-384, and SHA-512 digests live as you type, entirely in your browser. Nothing you paste leaves the page.
What a hash actually is
A cryptographic hash function takes input of any length and produces a fixed-length output called a digest. SHA-256 always produces 256 bits, written as 64 hexadecimal characters, whether you hash a single word or a two gigabyte file. Three properties make it useful:
- Deterministic. The same input always produces the same digest, on any machine, in any language.
- One way. There is no practical way to recover the input from the digest.
- Avalanche effect. Changing even one bit of the input produces a completely different digest.
You can see the avalanche effect directly. The SHA-256 of hello is:
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
Change one letter to hella and the digest shares nothing recognizable with the first:
70de66401b1399d79b843521ee726dcec1e9a8cb5708ec1520f1f3bb4b1dd984
There is no partial match for a near miss. The input either matches exactly or the digest is unrelated, which is exactly what makes hashes good for verification.
Generating one
Paste or type your text into the tool. The digests update on every keystroke, so there is no button to press: read off the SHA-256 line and copy it. Note that hashing operates on bytes, so the exact input matters. A trailing newline or a stray space produces a different digest, which is the most common reason two people hash "the same" string and get different results.
What hashes are used for
- Integrity checks and checksums. A site publishes the SHA-256 of a file; you hash your downloaded copy and compare. A match means the bytes are identical.
- Cache keys. Hash a request body or a set of parameters to get a short, fixed-length key that changes whenever the input changes.
- Deduplication. Two files with the same digest are the same file, so you store one copy.
- Content addressing. Systems like git name objects by their hash. A commit id is a hash of the commit's content, which is why history cannot be silently rewritten.
What hashing is not for
Two things people regularly get wrong:
Storing passwords. A fast general purpose hash like SHA-256 is the wrong tool for passwords, even with a salt. It is designed to be quick, and quick is exactly what an attacker with a GPU wants. Password storage needs a deliberately slow, salted algorithm like bcrypt or argon2. The full reasoning is in When to use SHA-256 vs HMAC vs bcrypt.
Encryption. A hash cannot be reversed, by you or by anyone else. If you need the original data back, you need encryption, which is a different operation with keys and a decrypt step. A hash is a fingerprint, not a locked box.
What about MD5?
The tool does not offer MD5, and that is deliberate. MD5 is cryptographically broken: researchers can construct two different inputs with the same MD5 digest, which defeats the whole point of a hash for any security or integrity purpose. Browsers agree; the Web Crypto API that powers this tool omits MD5 entirely. If you are following an old guide that asks for an MD5 checksum, SHA-256 is the sensible default replacement, and most projects that once published MD5 sums now publish SHA-256 alongside or instead.
SHA-1, SHA-256, SHA-512 at a glance
| Algorithm | Digest length | Status |
|---|---|---|
| SHA-1 | 160 bits (40 hex chars) | Broken for collision resistance; legacy compatibility only |
| SHA-256 | 256 bits (64 hex chars) | Current standard, the sensible default |
| SHA-512 | 512 bits (128 hex chars) | Secure; longer digest, often faster on 64 bit CPUs |
When in doubt, use SHA-256. Reach for SHA-1 only when an existing system requires it, and SHA-512 when a spec asks for it. Try all of them side by side in the Hash Generator.