Skip to content
Hash and checksum

Hash calculator from text or file

Eighteen algorithms computed in parallel directly in your browser, grouped by family: SHA-2 (256, 384, 512), SHA-3 (224, 256, 384, 512), BLAKE2b/2s, RIPEMD-160, CRC-32 and CRC-16/CCITT for integrity checksums, MurmurHash3 and xxHash32 for non-cryptographic fingerprinting, MD5 and SHA-1 for legacy cases. Text input (UTF-8) or files up to 100 MB. CSV export to document checksums for a batch of files.

Text

File

Drop a file here, or click to pick one

Up to 100 MB. The file stays on your computer.

Results

Algorithm Hash (hex) Size

How to use it

  1. 1

    Pick the source

    Paste text in the left panel or drop a file in the right one. The file stays on your computer: no upload, no transfer.

  2. 2

    Hash

    All eighteen algorithms run in parallel. For text you can keep "Hash as you type" enabled and watch the digests update live. A 100 MB file is typically hashed across all algorithms in 2-3 seconds on a modern machine.

  3. 3

    Verify a download

    To check that a downloaded file is intact, compare the hash in the family the source site advertises (usually SHA-256) against the value published on that site. Click "Copy" on the row you need to grab the hex value.

  4. 4

    Export to CSV

    To document the checksums of multiple files (backups, distributed assets, project deliverables), process each file and click "Export CSV". You get a file with columns family,algorithm,hash,bytes,source, ready to keep as a manifest or feed into a pipeline.

Why run it in the browser

The file stays on your computer. Database backups, configuration dumps, certificates, private archives: a file's hash is already a unique fingerprint of the file itself, and computing it on a third-party service means handing over that fingerprint. Here the computation happens inside your browser tab, with no external transfer. You can verify it from the Network panel of your developer tools: open it, drop a file, and you will see zero outgoing network requests while hashes are being computed.

Eighteen algorithms in one shot. Families are visually separated in the table: SHA-2 and SHA-3 for general cryptographic use, BLAKE2 for fast modern checksums (used for example by recent Linux ISO releases), RIPEMD-160 for Bitcoin addresses and legacy signatures, CRC-32 for ZIP and PNG archives, MurmurHash3 and xxHash for non-cryptographic uses such as deduplication and cache bucket assignment. MD5 and SHA-1 are shown with a "legacy" badge and remain available for backward compatibility scenarios.

Large files: prefer the command line. The 100 MB cap keeps the tab responsive without progress spinners. For much larger files (4 GB ISOs, multi-gigabyte database dumps) command-line tools are more efficient: they read the file in chunks and report progress natively. sha256sum file.iso on Linux and macOS, certutil -hashfile file.iso SHA256 on Windows, Get-FileHash file.iso -Algorithm SHA256 in PowerShell.

Glossary

Technical terms used on this page, briefly explained.

Cryptographic hash #
A function that maps an arbitrary-size input to a fixed-size output, such that flipping a single input bit produces a completely different output, and such that it is computationally infeasible to recover the input from the output or to find two inputs that map to the same output.
SHA-2 family #
NIST FIPS 180-4 standard: covers SHA-224, SHA-256, SHA-384, SHA-512. SHA-256 is today the de facto standard for file integrity and digital signatures. Considered secure for general cryptographic use.
SHA-3 family #
NIST FIPS 202 (2015), built on the Keccak construction. Designed as an alternative to SHA-2 should the latter ever be broken. Both are currently considered secure.
BLAKE2 #
Modern hash family (RFC 7693) with two variants: BLAKE2b tuned for 64-bit CPUs, BLAKE2s for 32-bit and embedded environments. Faster than SHA-256 at equivalent security. Adopted by many modern systems as the default checksum.
RIPEMD-160 #
160-bit hash (ISO/IEC 10118-3), designed in Europe as an alternative to SHA-1. Used in Bitcoin addresses (combined with SHA-256) and in some legacy GnuPG signatures.
CRC-32 / CRC-16 #
Cyclic Redundancy Check: not cryptographic hashes, but error-detection codes. Used to verify the integrity of ZIP archives, PNG images, Ethernet frames, serial protocols. Fast but easily forgeable: they offer no protection against intentional tampering.
MurmurHash3 / xxHash #
Non-cryptographic hashes designed to be extremely fast. Used in hash tables, deduplication systems, distributed cache bucket assignment. They do not offer collision resistance in the cryptographic sense: think of them as fast fingerprints, not as integrity proofs.
Collision #
Two different inputs that produce the same hash. For an N-bit hash, a random collision is expected after roughly 2^(N/2) attempts (birthday paradox). For broken hashes like MD5 and SHA-1, attacks exist that find collisions far faster than the theoretical bound.
Hex output #
Output convention: each raw digest byte is written as two lowercase hexadecimal characters. MD5 produces 16 bytes = 32 characters, SHA-256 produces 32 bytes = 64 characters, SHA-512 produces 64 bytes = 128 characters.

Frequently asked questions

Can I really trust that the file is not uploaded somewhere?
Yes, and you can verify it in two clicks. Open your browser's developer tools (F12 in most cases), go to the Network panel and start recording. Drop a file in the drop zone and run the hash. You will see zero HTTP requests leaving the browser during the computation. File reading and hashing both happen inside the tab, with no network involvement.
Why are MD5 and SHA-1 marked as legacy algorithms?
For MD5, the first full collision was published in 2004 by Wang, Feng, Lai and Yu, and in 2008 Stevens and others built two X.509 certificates with identical MD5 hashes. Producing an MD5 collision has been within reach of a laptop ever since. For SHA-1, the first practical collision was demonstrated by Google in 2017 with the SHAttered project. In 2020 Leurent and Peyrin published "SHA-1 is a Shambles", a chosen-prefix collision (the most dangerous variety) achievable for around 45,000 USD of rented GPU time: at that point, every attack that was practical against MD5 became practical against SHA-1 too. The consequence is that neither algorithm provides the guarantee they were originally adopted for, and the uses that depend on that guarantee (signatures, authenticated downloads against an adversary, certificates) must move to SHA-256 or stronger.
So they are officially deprecated?
Yes, by different standards bodies and on different timelines. The IETF published RFC 6151 in 2011 declaring that MD5 "must not be used" where collision resistance is required, and that new specifications must not adopt it. NIST officially announced SHA-1 retirement on December 15, 2022, with a transition deadline of December 31, 2030 for FIPS-validated cryptographic modules. The October 2024 public draft of NIST SP 800-131A Rev. 3 formalises the retirement schedule, also covering 224-bit hashes and other dated primitives. In practice, from 2030 FIPS-validated cryptographic modules will no longer be allowed to use SHA-1 for purposes that require collision resistance.
Then why keep them in the tool?
Because legitimate uses still exist: verifying a download against accidental corruption (no adversary), comparing a file's hash against a historical manifest, reading checksums published years ago, working with legacy systems that use them internally for non security-critical identifiers. They stay in the table, at the bottom and with an explicit badge, so that anyone who needs them has the tool, and anyone unfamiliar with their status sees immediately that they belong to a separate category.
Why are BLAKE3, Whirlpool and Tiger not included?
A correct BLAKE3 implementation requires a parallel Merkle-tree structure: mature implementations are compiled, and to stay coherent with the rest of this realm (everything written in browser-inspectable JavaScript) we prefer not to include it until a pure-JS version is available at acceptable cost. Whirlpool and Tiger have become niche, used almost exclusively in specific legacy contexts (Direct Connect, Gnutella, some academic projects): if you need them, dedicated command-line tools already cover those cases.
What about password hashing? Can I use this tool to hash passwords?
No, none of the algorithms here is suitable. Passwords need functions designed to be deliberately slow and memory-hard: argon2id (2026 recommendation), bcrypt (legacy but still valid), scrypt. They live on the server side, applied to a structured input (with a per-user unique salt). A web hash tool is not the right place: in production these belong inside the authentication system, not computed by hand.
My file is 500 MB, what should I do?
Use the command line, it is more efficient because it reads the file in chunks with native progress reporting. On Linux or macOS: sha256sum file.iso or shasum -a 256 file.iso. On Windows in cmd.exe: certutil -hashfile file.iso SHA256. In PowerShell: Get-FileHash file.iso -Algorithm SHA256. For BLAKE2 on Linux: b2sum file.iso.
Why does the same file produce different hashes between this tool and the command line?
For binary files (images, archives, ISOs, executables) the hashes are bit-for-bit identical. When you see differences on textual input, the culprit is usually one of: different line endings (CR/LF/CRLF), an extra newline appended by the shell (echo "text" | sha256sum appends a \n), a UTF-8 BOM present in one file and not the other. When hashing text, make sure you are comparing the exact same byte stream.
What does the size column (16 B, 32 B, 64 B) mean?
It is the raw output length in bytes, before hex encoding. MD5 produces 16 bytes (32 hex characters), SHA-256 produces 32 bytes (64 hex characters), SHA-512 produces 64 bytes (128 hex characters). Hex encoding doubles the textual length to keep the output readable and copyable as a string.
Does it work offline?
Yes. Once the page is loaded you can disconnect from the network: hashing keeps working. All eighteen algorithms run inside the browser, no external API is involved.
Are the hashes I get here compatible with sha256sum or OpenSSL?
Yes, byte for byte. The implementations pass the official RFC and NIST test vectors: SHA-256 produced here matches sha256sum, OpenSSL EVP_sha256, Python hashlib.sha256. SHA-3 matches openssl dgst -sha3-256. BLAKE2b matches b2sum. If you see a mismatch, it is almost always an encoding or line-ending issue with the input.

Who builds these tools?

Maurizio Fonte, senior IT consultant with 20+ years in PHP, Laravel, unmanaged Linux infrastructure, applied cybersecurity and AI/LLM integration. Production backends, legacy code modernization, security audits, custom AI agents and MCP servers: the work behind every tool published here.

About Maurizio Fonte