Hash Generator
Hash text or a file
SHA-1, SHA-256, SHA-384 and SHA-512 with hex or Base64 output and optional HMAC — plus bcrypt and Argon2 password hashing. Everything is computed locally — nothing leaves your browser.
Output format
HMAC optional
A key switches every algorithm into keyed HMAC mode.
Digests
Password hashing Argon2 · bcrypt · scrypt · PBKDF2
Slow, salted, one-way hashes for storing passwords — a fresh random salt is used on every run. Runs locally with WebAssembly.
Privacy first
Local hashing with the Web Crypto API
Digests are computed with crypto.subtle.digest and crypto.subtle.sign — the browser's own audited cryptography. Your text, files and HMAC keys never leave the page, there are no trackers, and the tool keeps working offline after load.
Why no MD5?
Browsers do not implement MD5 in the Web Crypto API, and it is cryptographically broken (practical collisions). This tool exposes only the SHA algorithms the platform provides natively.
How do I verify a download's checksum?
Pick the algorithm the publisher used (usually SHA-256), switch to the File tab, choose the file, and compare the hex digest to the published value. A single differing character means the file does not match.
Hex or Base64 — which should I use?
Hex is the usual format for checksums and is case-insensitive. Base64 is shorter and common in HTTP headers, JWTs and APIs. The raw digest bytes are identical; only the encoding differs.
What is HMAC for?
HMAC adds a secret key so a tag proves both that the message is intact and that it came from someone holding the key. It is used for API request signing, webhooks and cookie/session integrity.
bcrypt or Argon2 for passwords?
Both are slow, salted password hashes — never use plain SHA for passwords. bcrypt is battle-tested and ubiquitous; raise its cost factor as hardware improves. Argon2id is the modern OWASP default: its memory cost (try ≈19 MiB) makes GPU and ASIC cracking expensive. The encoded output already embeds the salt and parameters.