iToolVerse Logo
iToolVersev4.6

Hash Calculator

MD5, SHA-1, SHA-256, SHA-512, SHA-3, CRC32, and HMAC — for text or files, with a built-in verifier

Compute MD5, SHA-1, SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-512 and CRC32, or any of their HMAC variants, for text or files. Need to check a download? The Verify tab auto-detects the algorithm from any published hash (hex, Base64, or Base32) and compares it against your file. Large files stream in 4 MB chunks with a progress bar — everything runs locally in your browser.

Hash & HMAC Generator

Compute MD5, SHA-1, SHA-2 (256/384/512), SHA-3 (256/512), CRC32, and HMAC variants for text or files — locally in your browser. Use the Verify tab to check a downloaded file against a published hash.

Cisco / Windows certutil style

Hash examples (verify against any reference)

Every value below is computed on-the-fly by this calculator using the same algorithms exposed in the tool — so you can sanity-check the implementation against any published reference (e.g. echo -n "hello" | sha256sum on Linux, or Get-FileHash -Algorithm SHA256on Windows). Useful for confirming that the calculator's output matches what your CLI tools produce.

Cryptographic hashes

InputMD5SHA-1SHA-256SHA-384SHA-512SHA3-256SHA3-512
Empty stringd41d8cd98f00b204e9800998ecf8427eda39a3ee5e6b4b0d3255bfef95601890afd80709e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b85538b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95bcf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3ea7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434aa69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26
"hello"5d41402abc4b2a76b9719d911017c592aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b982459e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec0433338be694f50c5f338814986cdf0686453a888b84f424d792af4b9202398f39275d527c368f2efe848ecf6b073a36767800805e9eef2b1857d5f984f036eb6df891d75f72d9b154518c1cd58835286d1da9a38deba3de98b5a53e5ed78a84976
"12345"827ccb0eea8a706c4c34a16891f84e7b8cb2237d0679ca88db6464eac60da963455139645994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc50fa76955abfa9dafd83facca8343a92aa09497f98101086611b0bfa95dbc0dcc661d62e9568a5a032ba81960f3e55d4a3627909a29c31381a071ec27f7c9ca97726182aed29a7ddd2e54353322cfb30abb9e3a6df2ac2c20fe23436311d678564d0c8d305930575f60e2d3d048184d797d4e3eec80026719639ed4dba68916eb94c7a49a053e05c8f9578fe4e5a3d7ea0a2a1719bf3ce682afdbedf3b23857818d526efbe7fcb372b31347c26239a0f916c398b7ad8dd0ee76e8e388604d0b0f925d5e913ad2d3165b9b35b3844cd5e6
"password"5f4dcc3b5aa765d61d8327deb882cf995baa61e4c9b93f3f0682250b6cf8331b7ee68fd85e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8a8b64babd0aca91a59bdbb7761b421d4f2bb38280d3a75ba0f21f2bebc45583d446c598660c94ce680c47d19c30783a7b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86c0067d4af4e87f00dbac63b6156828237059172d1bbeac67427345d6a9fda484e9a75486736a550af4fea861e2378305c4a555a05094dee1dca2f68afea49cc3a50e8de6ea131ea521311f4d6fb054a146e8282f8e35ff2e6368c1a62e909716
"The quick brown fox jumps over the lazy dog"9e107d9d372bb6826bd81d3542a419d62fd4e1c67a2d28fced849ee1bb76e7391b93eb12d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592ca737f1014a48f4c0b6dd43cb177b0afd9e5169367544c494011e3317dbf9a509cb1e5dc1e85a941bbee3d7f2afbc9b107e547d9586f6a73f73fbac0435ed76951218fb7d0c8d788a309d785436bbb642e93a252a954f23912547d1e8a3b5ed6e1bfd7097821233fa0538f3db854fee669070dda01975c8c120c3aada1b282394e7f032fa9cf32f4cb2259a0897dfc0401dedd5de4ef14642445ba5f5b97c15e47b9ad931326e4b0727cd94cefc44fff23f07bf543139939b49128caf436dc1bdee54fcb24023a08d9403f9b4bf0d450

Checksum

InputCRC32
Empty string00000000
"hello"3610a686
"12345"cbf53a1c
"password"35c246d5
"The quick brown fox jumps over the lazy dog"414fa339

Note: SHA-3 and SHA-2 produce different outputs at the same bit size — SHA3-256 is not a drop-in replacement for SHA-256. Pick by what your standard or library expects, not just by bit length.

Related tools

VPC Subnet Calculator
IPv4 + IPv6 CIDR calculator with VLSM, per-provider reserved IPs, Terraform / CloudFormation / Pulumi export, and AWS sizing cheat sheet
JSON Beautify
Format, validate, and convert JSON — generate TypeScript, Go, Python, Pydantic, Rust types; tree view; auto-unstringify Redis-style JSON
YAML Formatter & Validator
Format YAML, validate it, and convert YAML ↔ JSON with 25 Kubernetes, Docker Compose, GitHub Actions, and Ansible templates
Base64 Encode
Encode text to Base64 format
Regex Tester
Test and validate regular expressions with real-time highlighting
HTML Viewer
Preview HTML & SVG live in your browser — works unblocked on Chromebooks, iPads, and locked-down devices

Hash & HMAC reference

The algorithms exposed by this calculator, what they're actually used for, and the exact commands you can run on your own machine to double-check our output.

Algorithm comparison

AlgorithmOutputSpeedStatusUse it for
MD5128-bitVery fastBroken (collisions)Non-security checksums only
SHA-1160-bitFastDeprecated (2017 collision)Legacy systems, Git object IDs (transitioning)
SHA-256256-bitMediumSecureDefault modern cryptographic hash. Bitcoin, TLS, package signing
SHA-384 / SHA-512384 / 512-bitMediumSecureHigh-security signatures, large data, SRI sha384- prefix
SHA3-256 / SHA3-512256 / 512-bitMediumSecure (different design)Required by some standards (Ethereum uses Keccak-256, the SHA-3 predecessor)
CRC3232-bitExtremely fastNon-cryptographicAccidental corruption detection: ZIP, PNG, gzip, Ethernet frames

How to verify a downloaded file against a published hash

The most common reason people open a hash calculator: confirm that an ISO, installer, or release tarball wasn't corrupted in transit or replaced. Match the page's published hash against the hash of your local file.

macOS / Linux
# SHA-256 of a file
shasum -a 256 ubuntu-24.04.iso
# Or, on Linux:
sha256sum ubuntu-24.04.iso

# MD5 (legacy)
md5sum file.zip
Windows (PowerShell)
# SHA-256 — default
Get-FileHash .\file.iso

# Other algorithms
Get-FileHash .\file.iso -Algorithm SHA1
Get-FileHash .\file.iso -Algorithm MD5
Windows (CMD)
certutil -hashfile file.iso SHA256
certutil -hashfile file.iso MD5

Or use the Verifytab above: paste the publisher's hash, drop the file, and we'll auto-detect the algorithm and compare. No data leaves your browser.

HMAC: hashing with a secret key

HMAC (Hash-based Message Authentication Code, RFC 2104) combines a secret key with a message before hashing it. The result proves the message came from someone who knows the key and wasn't altered in transit. It's the basis of:

  • Webhook signatures — GitHub, Stripe, Slack all sign delivered payloads with HMAC-SHA256
  • JWT HS256 / HS512 — symmetric JSON Web Tokens use HMAC under the hood
  • AWS Signature v4 — every signed AWS API request derives an HMAC chain from your secret key
  • TOTP / HOTP — 2FA codes (Google Authenticator) are HMAC-SHA1 of a counter

The HMAC tab above accepts a key as plain text or, if it starts with 0x, as a hex string. Use the same key on the sender and receiver — and store keys in a secret manager, not in source code.

SRI (Subresource Integrity) hashes for the web

When you include a third-party script or stylesheet, you can pin its content with an integrity attribute. Browsers refuse to execute the file if its hash doesn't match. SRI hashes are Base64-encoded SHA-256/384/512 with a prefix:

<script
  src="https://cdn.example.com/lib.min.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"></script>

Use the Hash tab above with algorithm SHA-384 (or SHA-256/512) and encoding Base64. Prefix the result with sha384- in your HTML.

SHA-2 vs SHA-3: when do you actually need SHA-3?

SHA-2 and SHA-3 are bothcurrently considered secure. They share names like “256-bit” but produce completely different outputs— they aren't interchangeable.

  • Use SHA-2 (SHA-256, SHA-512)for almost everything — TLS certificates, Bitcoin, Git, file integrity, package signing. It's ubiquitous, hardware-accelerated on most CPUs, and the default in nearly every standards body.
  • Use SHA-3 / Keccakonly when a specific standard says so (Ethereum signing uses Keccak-256, some new government / financial regulations now require SHA-3, NIST's post-quantum signature schemes use SHA-3 internally).

Don't use raw hashes to store passwords

SHA-256(password) is dangerous — modern GPUs can compute billions of SHA-256 hashes per second, so any stolen password database is brute-force-able. Use a password hashing function instead:

  • Argon2id — current OWASP recommendation, memory-hard
  • bcrypt — battle-tested, work-factor tunable
  • scrypt — memory-hard, predates Argon2
  • PBKDF2 — FIPS-approved, often required for compliance

This calculator doesn't implement those by design — running them in JavaScript with conservative work factors would block the UI. Use a server-side library (bcryptjs, argon2-browser, etc.) for password hashing.

Standards & references

  • FIPS 180-4 — Secure Hash Standard (SHA-1, SHA-2 family)
  • FIPS 202 — SHA-3 family and SHAKE
  • RFC 1321 — The MD5 Message-Digest Algorithm
  • RFC 2104 — HMAC: Keyed-Hashing for Message Authentication
  • RFC 4648 — Base16, Base32, Base64 encodings (used for hash output encoding)
  • RFC 6234 — US Secure Hash Algorithms (SHA-2 reference implementation)
  • IEEE 802.3 — CRC32 polynomial used by ZIP, PNG, gzip

Frequently Asked Questions

Hash functions, HMAC, file verification, and SHA-2 vs SHA-3 — answered.