What is Hashing?
A hash function is a one-way mathematical algorithm that transforms any input — a single character, an entire file, or anything in between — into a fixed-length string of characters called a hash, digest, or checksum. Three properties define a good cryptographic hash function:
- Deterministic: The same input always produces the exact same output.
- Fixed-length output: Regardless of input size, the hash is always the same length (e.g., SHA-256 always outputs 64 hex characters).
- One-way: Given a hash, it is computationally infeasible to recover the original input.
Even a tiny change to the input — flipping a single bit — produces a completely different hash. This property, called the avalanche effect, is what makes hashes useful for detecting changes in data.
Common Hash Algorithms
Several hash algorithms are in widespread use, each with different output sizes and security profiles:
- MD5 (128-bit / 32 hex chars): Fast but cryptographically broken since 2004. Still used for non-security checksums like verifying file downloads.
- SHA-1 (160-bit / 40 hex chars): Once the standard, but collision attacks were demonstrated in 2017 (SHAttered). Deprecated for certificates and signatures. Git historically used SHA-1 for commit hashes.
- SHA-256 (256-bit / 64 hex chars): Part of the SHA-2 family. The current workhorse — used in TLS certificates, Bitcoin, code signing, and package managers. No known practical attacks.
- SHA-512 (512-bit / 128 hex chars): Also SHA-2 family. Larger output, can be faster than SHA-256 on 64-bit processors. Used when extra security margin is desired.
Hashing vs. Encryption
Hashing and encryption both transform data, but they serve fundamentally different purposes:
- Hashing is one-way. You cannot recover the original input from a hash. It is used for verification — confirming that data matches an expected value without storing the data itself.
- Encryption is two-way. Encrypted data can be decrypted with the correct key. It is used for confidentiality — protecting data in transit or at rest so only authorized parties can read it.
A common mistake is using encryption where hashing is appropriate (e.g., storing passwords). Passwords should always be hashed (ideally with a purpose-built algorithm like bcrypt or Argon2), never encrypted, because there should be no way to recover the plaintext.
Common Use Cases
- Password storage: Servers store hashed passwords. When you log in, your input is hashed and compared to the stored hash — the plaintext password is never saved.
- Data integrity: Download pages list SHA-256 checksums so you can verify a file was not corrupted or tampered with during transfer.
- Digital signatures: Signing algorithms hash the document first, then encrypt the hash with a private key. The recipient decrypts and re-hashes to verify authenticity.
- Deduplication: Cloud storage and backup systems hash file blocks to detect duplicates without comparing raw content byte-by-byte.
- Version control: Git identifies every commit, tree, and blob by its SHA hash, enabling fast content-addressed lookups across the entire repository history.
How to Use This Tool
- Type or paste text into the input field — SHA-1, SHA-256, and SHA-512 hashes are computed in real time as you type.
- Alternatively, drag and drop a file (or click "choose file") to hash its raw binary contents.
- Click Copy next to any hash to copy it to your clipboard.
- To verify a hash, paste it into the "Verify Hash" field — the tool will tell you which algorithm it matches (if any).
All hashing is performed entirely in your browser using the Web Crypto API. No data is sent to any server.
Frequently Asked Questions
What is a hash function?
A hash function is a one-way mathematical function that takes an input of any size and produces a fixed-length output called a hash or digest. The same input always produces the same hash, but you cannot reverse the process to recover the original input from the hash.
What's the difference between hashing and encryption?
Hashing is a one-way process — you cannot recover the original data from a hash. Encryption is two-way — encrypted data can be decrypted back to the original using the correct key. Hashing is used for verification (passwords, checksums), while encryption is used when data needs to be recovered later (secure communication, file storage).
Is MD5 still safe to use?
MD5 is no longer considered cryptographically secure. Collision attacks have been demonstrated since 2004, meaning two different inputs can be crafted to produce the same MD5 hash. MD5 is still acceptable for non-security purposes like checksums for file integrity, but for security-sensitive applications use SHA-256 or SHA-512.
What is SHA-256?
SHA-256 is a member of the SHA-2 family of hash functions designed by the NSA. It produces a 256-bit (32-byte) hash value, typically rendered as a 64-character hexadecimal string. SHA-256 is widely used in TLS/SSL certificates, Bitcoin mining, digital signatures, and software integrity verification.
Can you reverse a hash?
No. Cryptographic hash functions are designed to be one-way. There is no mathematical method to compute the original input from a hash. The only way to find the input is through brute-force guessing or using precomputed lookup tables (rainbow tables), which is why strong, salted hashing is used for passwords.
Why do different inputs sometimes produce the same hash?
This is called a collision. Because hash functions map an infinite set of possible inputs to a fixed-size output, collisions must theoretically exist. However, for secure algorithms like SHA-256, the output space is so large (2^256 possibilities) that finding a collision by chance is computationally infeasible.
What is a salt in hashing?
A salt is a random value added to an input before hashing, most commonly used in password storage. Salting ensures that two users with the same password get different hashes, which defeats rainbow table attacks and makes brute-force cracking much harder.