How to Hash Text and Files (MD5, SHA-256)

Generate MD5, SHA-1 and SHA-256 hashes of text or files, verify a download checksum, and understand why you should never hash passwords with these.

Updated 5 min read By CodingEagles
Free tool Hash Generator Hash text or files with MD5, SHA-1/256/512 and CRC32. Open tool

A hash turns any input — a word, a document, a gigabyte file — into a fixed-length fingerprint. The same input always produces the same hash, and even a one-byte change produces a completely different one. That property makes hashes perfect for verifying integrity.

This guide covers how to hash text and files, when to use each algorithm, and the one thing you must never do with them.

TL;DR — Drop text or a file into the hash generator to get MD5, SHA-1 and SHA-256 instantly. Use SHA-256 for integrity checks; never use these for passwords.

Verifying a file checksum

The most common reason to hash a file is to confirm a download wasn’t corrupted or tampered with. The publisher posts a checksum (for example a SHA-256 string); you hash your copy and compare.

If the two strings match character-for-character, your file is identical to the original. If they differ even slightly, something changed in transit — re-download it. Because the hash is computed locally, you can verify sensitive files without uploading them anywhere.

Choosing an algorithm

  • SHA-256 — the modern default. Use it for checksums, signatures and content addressing.
  • SHA-512 / SHA-384 — larger digests; useful when a spec calls for them.
  • SHA-1 — legacy. Still seen in old Git internals and certificates, but considered broken; don’t use it for new security work.
  • MD5 — fast and everywhere, but cryptographically broken. Fine as a non-security checksum (e.g. cache keys, deduplication), never for anything an attacker could exploit.
  • CRC32 — not a cryptographic hash at all; a fast error-detection checksum for things like ZIP entries.

Never hash passwords with these

This is the big one. MD5, SHA-1 and SHA-256 are designed to be fast, which is exactly what you don’t want for passwords — speed lets an attacker try billions of guesses per second against a stolen database.

Passwords need a slow, salted hash built for the job: bcrypt, scrypt or Argon2. These add a per-user salt and a tunable work factor so each guess is expensive. Reach for a general-purpose hash only for integrity, never for credentials.

Text vs. files

Hashing text is handy for quick comparisons — confirming two snippets are identical, or generating a stable key from a string. Hashing files verifies downloads and backups. The hash generator does both, computing every algorithm at once on your device, with nothing uploaded.

Frequently asked questions

What is the difference between MD5, SHA-1 and SHA-256?
They are different hash algorithms producing different digest lengths. MD5 (128-bit) and SHA-1 (160-bit) are fast but cryptographically broken for security. SHA-256 is the modern default for integrity checks and signatures.
Can I use a hash to store passwords?
No. General-purpose hashes are far too fast, which makes them easy to brute-force. Use a purpose-built password hash like bcrypt, scrypt or Argon2, which are deliberately slow and salted.
How do I verify a downloaded file?
Hash the file with the algorithm the publisher used (usually SHA-256) and compare the result to the checksum they published. If the two strings match exactly, the file is intact and untampered.

Ready to try it?

Hash text or files with MD5, SHA-1/256/512 and CRC32. Free, in-browser, and 100% private — your data never leaves your device.

Open the Hash Generator

Related guides

How to Encode and Decode Base64 What Base64 actually does, when to reach for the URL-safe variant, and how to encode files as well as text — without uploading anything.