Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes of any text, right in your browser.
How to use the Hash Generator
Type or paste your text.
Pick the hash algorithm.
Copy the resulting hex digest.
A hash function takes any input, a word or a whole document, and produces a fixed-size string of characters called a digest. SHA-256, for example, always returns 256 bits written as 64 hexadecimal characters, whether you feed it one letter or a megabyte of text.
Two properties make hashes useful. They are deterministic, so the same input always produces the same digest, and they show the avalanche effect, so changing a single character produces a completely different result. That makes a hash a compact fingerprint of the exact content.
This tool computes SHA-1, SHA-256, SHA-384 and SHA-512 digests of your text locally using the browser's Web Crypto API, then shows the hex result ready to copy. SHA-256 is the sensible default for most purposes.
Hashing is one-way: you cannot reverse a digest back into the original input. That is the point. It is used to verify integrity (has this file or message changed?), to build checksums, to deduplicate content, and as a building block inside signatures and version-control systems like Git.
SHA-1 is broken for security-critical uses because collisions can be engineered, though it is still fine as a non-security checksum. Prefer SHA-256 or stronger when security matters. MD5 is intentionally not offered because it is considered insecure.
Hashing is not encryption and is not, by itself, the right way to store passwords. Raw SHA functions are deliberately fast, which helps attackers guess passwords quickly. For passwords use a slow, salted scheme such as bcrypt, scrypt or Argon2; the bcrypt generator here is built for that.
Frequently asked questions
SHA-1, SHA-256, SHA-384 and SHA-512, via the browser's Web Crypto API. SHA-256 is a good default for most uses.
No. MD5 is considered insecure and is not provided by the Web Crypto API. Prefer SHA-256 or stronger.
No. Hashing is one-way by design. The only way to find an input for a given hash is to guess inputs and hash them, which is why strong hashes protect integrity.
That is the avalanche effect, a deliberate property of cryptographic hashes. Flipping one character changes roughly half the output bits, so similar inputs do not produce similar digests.
Not directly. Plain SHA is too fast for password storage. Use a slow, salted algorithm such as bcrypt, scrypt or Argon2 instead.
No. Hashes are computed in your browser with the Web Crypto API, so your text never leaves your device and nothing is logged.
Embed this tool
Add this tool to your own website. Copy the snippet below; it stays up to date automatically.
<iframe src="https://monu.tools/embed/en/hash-generator" width="100%" height="640" style="border:1px solid #e5e5e5;border-radius:12px;max-width:680px" loading="lazy" title="Monu Tools"></iframe>Learn more
Hashing vs Encryption: What a Hash Can and Cannot Do
Hashing is one-way and keyless; encryption is two-way and needs a key. Learn the difference, why you cannot decrypt a hash, and when to use each.
Base64 Explained: Why Encoding Is Not Encryption
What Base64 actually does, why it makes data about a third larger, when to use it, and why it protects nothing on its own.
URL Encoding Explained: When and Why to Percent-Encode
Why URLs use %20 and other percent codes, which characters are safe, and when to reach for encodeURIComponent instead of encodeURI.
How to Read a JWT, and Why Decoding Is Not Verifying
A JWT is three Base64url parts anyone can read. Learn how to decode one, what each part means, and why decoding proves nothing.
How Webhook Signatures Work: HMAC, Shared Secrets, and Timing-Safe Checks
How Stripe and GitHub prove a webhook is genuine using HMAC and a shared secret, and the timing-safe comparison most developers get wrong.
How Passwords Should Be Stored: Salting, bcrypt, and Why Not SHA-256
Why a fast hash like SHA-256 is wrong for passwords, what a salt does, and why bcrypt, scrypt, and Argon2 are the right tools.
Related tools
Encode text to Base64 or decode Base64 back to text. UTF-8 safe with automatic direction detection.
Percent-encode and decode URLs and URL components, UTF-8 safe.
Decode a JSON Web Token to inspect its header and payload, with human-readable expiry and issue times. Runs entirely in your browser; tokens are never uploaded.
Generate an HMAC for a message and secret key using SHA-1, SHA-256, SHA-384 or SHA-512, in your browser.