Hash functions take any input and produce a fixed-length fingerprint — the same input always produces the same hash, and any change in input produces a completely different hash. Hashes verify file integrity, store passwords safely, identify duplicate content, and underpin blockchain. A hash generator computes the value for text or files using MD5, SHA-1, SHA-256, and other standard algorithms.

This guide covers what hashes are good for, which algorithm to use, and the security distinctions that matter.

What a Hash Is

A hash is a fixed-length string derived from variable-length input. The same input always produces the same hash. Tiny input changes produce completely different hashes. Hashes are one-way — you cannot reverse a hash to recover the original input.

Common Hash Algorithms

  • MD5 — 128-bit; fast; broken for security but still used for file integrity checks
  • SHA-1 — 160-bit; deprecated for security; legacy compatibility only
  • SHA-256 — 256-bit; current standard; widely used
  • SHA-512 — 512-bit; stronger; common in security contexts
  • SHA-3 — Newer family; alternative to SHA-2
  • bcrypt / Argon2 — Password-hashing specifically (slow by design)

Common Uses

  • File integrity verification — Confirm download wasn't corrupted
  • Duplicate detection — Identical hashes indicate identical content
  • Password storage — Servers store hash, not password (with bcrypt/Argon2)
  • Digital signatures — Hash signed rather than entire document
  • Content addressing — Git, IPFS use hashes as identifiers
  • Cache keys — Hash of content used as cache identifier
  • Blockchain — Block linking and proof of work

File Integrity Verification

  1. Publisher computes SHA-256 of release file; publishes hash on website
  2. Downloader retrieves file
  3. Downloader computes SHA-256 of received file
  4. Compare with published hash; match means file is intact

Hashes vs Encryption

  • Hash — One-way; verification only; cannot recover original
  • Encryption — Two-way with key; can decrypt back to original
  • Use hash for integrity checks, password storage
  • Use encryption when data needs to be retrieved

Why MD5 and SHA-1 Are Broken

  • Collisions possible — different inputs producing same hash
  • Demonstrated attacks for both (SHA-1 collision in 2017)
  • Not safe for security-critical use (certificates, signatures)
  • Still acceptable for non-security integrity checks (CRC-like use)

Why You Shouldn't Hash Passwords with SHA-256 Alone

  • SHA-256 is fast — attackers can hash billions of guesses per second
  • Use bcrypt or Argon2 — designed to be slow, parameterizable
  • Add salt (random per-password value) to prevent rainbow table attacks
  • If you're implementing password hashing, use a library — don't roll your own

Common Pitfalls

  • MD5 for passwords. Trivially crackable; never use for new systems
  • Hashing without salt. Rainbow table attacks succeed
  • Wrong algorithm for purpose. Bcrypt for passwords, SHA-256 for file checks
  • Trusting published hash without secure channel. Attacker can replace both file and hash
  • Comparing hashes case-sensitively. Some tools output uppercase, others lowercase
  • Encoding mismatch. Hashing UTF-8 vs UTF-16 of same text gives different results

Real-World Examples

  • Linux distros publish SHA-256 of ISO downloads
  • Git commits identified by SHA-1 of content
  • Bitcoin transactions use SHA-256 (double-applied)
  • Web browsers verify TLS certificate signatures via SHA-256

Quick Tips

  • SHA-256 for general use today
  • Bcrypt or Argon2 for password storage
  • Avoid MD5 and SHA-1 for security; OK for non-security integrity
  • Use HTTPS to retrieve published hashes — or attacker can substitute
  • Don't implement password hashing yourself; use a library

Use the Hash Generator on Popupnote

The Hash Generator on Popupnote provides a clean tool for computing MD5, SHA-1, SHA-256, and SHA-512 hashes of text or files — for integrity verification, duplicate detection, and any task that needs a content fingerprint. The tool runs in your browser without any account required.