SHA-256 Hash Generator

How to use the SHA-256 hash generator

1. Enter your input. Type or paste text into the input field, or click the file upload button to drop in a local file (up to 100 MB). The tool accepts any UTF-8 text or binary file.
2. Select an algorithm. SHA-256 is selected by default and covers most use cases. Switch to MD5 for legacy checksum compatibility, SHA-1 for Git-style IDs, or SHA-512 when you need a larger digest on 64-bit hardware.
3. Copy your hash. The hexadecimal digest appears instantly. Click the copy button to put it on your clipboard, then paste it wherever you need it — a config file, a pull-request comment, a verification field, or an API header.

All computation happens inside your browser using the Web Cryptography API. No text, no file content, and no hash result is ever uploaded to xerobit.dev servers.

Hash algorithm comparison

Not all hashing algorithms are equal. The right choice depends on your security requirements, the system you're integrating with, and whether speed or collision-resistance matters more.

For a deeper look at why MD5 is no longer safe for anything security-sensitive, see MD5 is dead — use these instead.

Do not use these to hash passwords

MD5, SHA-1, SHA-256, and friends are fast hashes — designed to be computed in microseconds. That is the opposite of what you want for passwords, where intentional slowness stops attackers from brute-forcing billions of guesses per second. For passwords, use bcrypt, argon2id, or scrypt. Never SHA-hash a password and store the result — that is a 2005-level mistake that still shows up in data breaches. Use your site's password generator to create strong credentials, then store only the bcrypt digest.

SHA-256 in practice

SHA-256 shows up in more places than most developers realize. Here are the most common real-world scenarios where you will reach for this checksum calculator:

• Webhook and API request signing (HMAC-SHA256). Stripe, GitHub, Shopify, and most modern webhook providers sign their payloads with HMAC-SHA256. The receiver hashes the raw body with a shared secret and compares it to the X-Signature header. See our HMAC authentication guide for the full implementation pattern. JWT tokens use the same algorithm (HS256 = HMAC-SHA256).
• File integrity and download verification. When you download a binary release (Linux ISO, npm tarball, Docker base image), the project usually publishes a SHA256SUMS file alongside it. Run the file through this checksum calculator and compare — a single bit difference produces a completely different hash, making tampering obvious.
• Git commit and object IDs. Git historically used SHA-1 for all object identifiers (commits, trees, blobs). Git 2.29+ added optional SHA-256 support (git init --object-format=sha256) to address the theoretical collision risk introduced by SHAttered.
• TLS certificate fingerprints. When you verify an SSL/TLS certificate's identity — in a browser, in a curl call, or in certificate pinning — the fingerprint you compare against is the SHA-256 hash of the DER-encoded certificate.
• Code signing and package integrity. npm publish records a shasum for every package version. Docker image digests (the sha256: prefix in docker pull image@sha256:…) are SHA-256 hashes of the image manifest.

Computing SHA-256 in your language

Use the browser tool above for quick checks. For production code, here is the idiomatic one-liner in the most common environments:

Python

import hashlib
digest = hashlib.sha256(b"hello").hexdigest()
# → "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"

JavaScript / Node.js (Web Crypto API)

const buf = await crypto.subtle.digest(
  "SHA-256",
  new TextEncoder().encode("hello")
);
const hex = [...new Uint8Array(buf)].map(b => b.toString(16).padStart(2, "0")).join("");
// → "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"

Bash / Linux

echo -n "hello" | sha256sum
# → 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824  -

macOS

echo -n "hello" | shasum -a 256
# → 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824  -

Notice all four produce the exact same digest — SHA-256 is deterministic and platform-independent. The hashes generated by this tool are byte-for-byte identical to sha256sum, openssl dgst -sha256, and every other standards-compliant implementation.

What this tool doesn't do

No HMAC (needs a secret key — pasting keys into a web form is a security anti-pattern), no password hashing (intentionally omitted; use bcrypt offline), no signing, no verification. If you need to decode and inspect tokens that use HMAC-SHA256, try the JWT decoder.

Which hash to use in 2026

• MD5 — broken for cryptographic purposes since 2005. Still acceptable for file integrity checksums, cache keys, and deduplication where collision-resistance against an adversary is not required. Do not use for passwords, certificates, or signatures.
• SHA-1 — collisions demonstrated in 2017 (SHAttered attack). Deprecated for digital signatures and TLS certificates. Still in use for Git object IDs and legacy systems where collision attacks are not a meaningful threat.
• SHA-256 — the current recommended default. Used in Bitcoin, TLS 1.3, most cryptographic protocols, and every modern API signing scheme. Start here unless you have a specific reason not to.
• SHA-384 / SHA-512 — larger digests with a higher security margin. SHA-512 is often faster than SHA-256 on 64-bit hardware because it processes 128-byte blocks instead of 64-byte. Use when you need a larger output or are operating under FIPS 180-4 requirements.

FAQ

What is SHA-256 used for?

SHA-256 is used wherever you need to verify data integrity or create a fixed-size fingerprint of arbitrary data. Common examples include file integrity checks (download checksums), digital signatures in TLS certificates and code signing, HMAC-SHA256 for webhook authentication, Docker image digests, and the proof-of-work and transaction hashing in Bitcoin. It is also the "256" in JWT algorithm names like HS256 and RS256.

Is MD5 safe to use in 2026?

MD5 is safe for non-security uses such as cache keys, deduplication identifiers, and checksum verification of files you downloaded from a trusted source over HTTPS. It is not safe for digital signatures, certificate fingerprints, or any context where an adversary could craft a collision. Practical collision attacks on MD5 have been possible since 2005, and chosen-prefix collisions (which allow forging signatures) since 2007. For security-sensitive work, use SHA-256 or SHA-512.

How is hashing different from encryption?

Hashing is a one-way function: given "hello" you can compute its SHA-256 digest, but given only the digest you cannot reconstruct "hello". Encryption is two-way: data encrypted with a key can be decrypted back to the original with the correct key. Hashes are used to verify that data has not changed; encryption is used to keep data confidential. This is why storing a bcrypt hash of a password is secure — even if the database is leaked, the attacker cannot reverse the hash to obtain the original password.

Why is SHA-512 the same speed or faster than SHA-256 for me?

SHA-512 processes 128-byte blocks instead of 64-byte. On 64-bit hardware (virtually everything today), it often runs faster per byte than SHA-256, which means a larger hash digest does not necessarily mean slower hashing.

Can I hash large files?

Yes — up to 100 MB. The file is read and hashed entirely in your browser using streaming reads. Nothing is uploaded.

Are the hashes identical to command-line tools?

Yes. Compare to md5sum, sha256sum, openssl dgst -sha256 — byte-for-byte match.

Related tools

• JSON Formatter — Format, validate, and beautify JSON online. 100% client-side — your data never leaves your browser.
• Base64 Encoder / Decoder — Encode and decode Base64 strings and files. Client-side, safe for sensitive data.
• JWT Decoder — Decode and inspect JSON Web Tokens. Local-only — tokens never leave your browser.
• UUID Generator — Generate UUID v4 and v7 identifiers in bulk.

Related articles

• 5 min readbcrypt Password Hashing — Why You Should Use bcrypt and How to Implement Itbcrypt is the standard password hashing algorithm for web applications. Learn why MD5 and SHA-256 are wrong for passwords, how bcrypt's work factor prevents brute-force...
• 4 min readMD5 vs SHA-256 — When to Use Each and When Not to Use MD5MD5 is broken for security use cases but still useful for checksums and non-security hashing. SHA-256 is the modern standard for cryptographic integrity. Learn the differences,...
• 4 min readSHA-3 and Keccak Hash — The Next Generation Cryptographic HashSHA-3 (Keccak) is NIST's latest hash function, designed independently from SHA-2 to provide an alternative if SHA-2 is ever broken. Learn SHA-3 variants (224, 256, 384, 512,...
• 4 min readFile Integrity Verification with Checksums — SHA-256 and MD5Verify file integrity using SHA-256 and MD5 checksums. Learn how to generate and verify checksums on Linux, macOS, and Windows, use checksums in CI/CD pipelines, and detect...
• 6 min readHash Functions Comparison — MD5, SHA-1, SHA-256, bcrypt, Argon2Hash functions have different speed, output size, and security properties. MD5 and SHA-1 are broken for security. SHA-256 works for data integrity. bcrypt and Argon2 are for...
• 5 min readHMAC Authentication — Signing API Requests with Secret KeysHMAC (Hash-based Message Authentication Code) signs API requests with a shared secret. Learn how HMAC-SHA256 works, how to implement request signing in Node.js and Python, and...

Pillar

Part of Encoding & Crypto — Base64, URL, JWT, hashes, UUID, QR, password.

Written by Mian Ali Khalid. Last updated 2026-05-12.