Input Text
Drop a file here or click to upload
HMAC Secret Key
Hash Comparison
Expected Hash
Actual Hash
All Hashes
MD5 (128-bit)
SHA-1 (160-bit)
SHA-256 (256-bit)
SHA-512 (512-bit)
Which hash should you use?
| Algorithm | Output | Still safe? | Use for |
|---|---|---|---|
| MD5 | 128 bits | ❌ broken (collisions demonstrated) | Legacy only. File deduplication where adversaries aren't in scope. |
| SHA-1 | 160 bits | ❌ broken (2017 SHAttered) | Legacy. Git uses it but is migrating to SHA-256. |
| SHA-256 | 256 bits | ✅ safe | General-purpose cryptographic hash. Bitcoin, TLS, file integrity. |
| SHA-512 | 512 bits | ✅ safe | Faster than SHA-256 on 64-bit CPUs, same security. |
| SHA-3 | variable | ✅ safe | New Keccak-based standard. Rarely needed over SHA-256. |
| BLAKE3 | 256 bits | ✅ safe | Much faster than SHA-256. Great for file hashing. |
| bcrypt / scrypt / Argon2 | variable | ✅ safe for passwords | Password hashing only. Deliberately slow + salted. |
Never use MD5, SHA-1, or even plain SHA-256 for passwords. Use Argon2id (best), bcrypt (widely supported), or scrypt. They're intentionally slow — a GPU farm can compute 10 billion SHA-256s per second but only a few thousand bcrypts per second.
Common use cases
- File integrity — SHA-256 the downloaded file, compare to the publisher's listed hash. If they match, the file wasn't corrupted or tampered with.
- Deduplication — S3, Git LFS, deduped backups all use content-addressable storage: hash is the key.
- Digital signatures — sign the hash of a document, not the document itself (public-key crypto on 256 bits is fast; on a 100MB PDF is slow).
- Password storage — bcrypt/Argon2 specifically. Never plain hash functions.
- HMAC — keyed hash for message authentication.
HMAC(key, message)proves the message wasn't tampered with + came from someone with the key. - Content-addressable cache — Docker layers, npm packages, webpack bundles identified by hash.
Frequently Asked Questions
What is a hash function?
A hash function takes input data of any size and produces a fixed-size output (hash). It's one-way — you cannot reverse a hash to get the original data.
Which hash algorithm should I use?
SHA-256 is recommended for most purposes. MD5 and SHA-1 are considered broken for security use but still useful for checksums. SHA-512 provides extra security margin.
What is HMAC?
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to verify both data integrity and authenticity. HMAC-SHA256 is commonly used in API authentication.
Related Developer Tools
Copyright © 2026 BuildStudio. All rights reserved.
Designed and Developed by Webority Technologies
Report an issue
We use necessary cookies to run this site, and analytics cookies only with your consent. No advertising, no cross-site tracking. Read our Privacy Policy.