Can I use MD5 to store passwords?

No. MD5 has been cryptographically broken since 2008 — practical collision attacks exist. For passwords, use Argon2id (the current OWASP recommendation), bcrypt, or scrypt — algorithms designed to be slow, with automatic salting, and resistant to rainbow tables. MD5 is only acceptable for non-adversarial integrity verification (and even there, SHA-256 is better).

What's the difference between SHA-1, SHA-256, and SHA-512?

SHA-1 produces 160 bits, SHA-256 produces 256 bits, and SHA-512 produces 512 bits. SHA-1 is deprecated (Google demonstrated a practical collision in 2017). SHA-256 is today's industry standard — used in Bitcoin, SSL/TLS certificates, and Git internals. SHA-512 is slower but offers more bits — preferred in systems that need extra margin against future attacks.

Can a hash be reversed back to the original text?

No. Hashing is a one-way function — computing the hash of a text is fast, but given the hash, recovering the text requires brute-forcing every possible combination. For long hashes (SHA-256, SHA-512) this is computationally infeasible. However, hashes of common passwords or short phrases can be broken by rainbow tables if no salt is used.

Why does the same text always generate the same hash?

Because hashes are deterministic functions: identical input always produces identical output. That's exactly why they work for integrity verification — any change to the input produces a completely different output. To avoid predictability in password storage, always add a unique per-user salt before hashing.

What's the difference between hashing and encryption?

Hashing is one-way: it goes from text to digest but not back. Encryption is two-way: it uses a key to go from plaintext to ciphertext and back. Hashing is used for verification and identification; encryption is used for confidentiality. AES is the standard symmetric cipher; RSA is asymmetric; SHA-256 is a hash. Mixing them up is a serious mistake.

How do I generate an HMAC with SHA-256?

HMAC (Hash-based Message Authentication Code) combines a hash with a secret key to sign messages. This tool generates plain hashes; for HMAC, use the Web Crypto API with window.crypto.subtle.sign('HMAC', key, data). Webhooks from Stripe, GitHub, and Shopify use HMAC-SHA256 to authenticate incoming payloads.

0 of 3 uses today · 3 remaining. Go Pro and remove the limit.

Upgrade

Hash Generator

MD5 · SHA-1 · SHA-256 · SHA-512 — text or file, processed on-device.

Processado no seu navegador

Input type

Text to hash

Waiting for text…

Enter text to generate hashes.

Web Crypto. SHA-1/256/512 via crypto.subtle.digest() (cryptographically verified). MD5 via SparkMD5 (legacy, not recommended for security). Everything is local — your file is never transmitted from the browser.

Sobre

What is an MD5/SHA-1/SHA-256 hash generator?

Por Quorify EditorialAtualizado em 3 de junho de 2026

The Quorify Hash Generator produces MD5, SHA-1, SHA-256, SHA-384, and SHA-512 cryptographic hashes from any text. It's useful for verifying file integrity, comparing payloads, generating deterministic fingerprints, and debugging systems that rely on checksums. Computation uses the browser's Web Crypto API — algorithms certified under FIPS 180-4 (NIST) and RFC 1321. Note: hashing is NOT encryption — there's no way to recover the original text from a hash. And MD5/SHA-1 hashes are cryptographically broken for security use (use Argon2 or bcrypt for passwords — see OWASP). It's part of the Quorify dev toolkit: pair it with the JSON Formatter to verify API payload integrity and with the UUID Generator for unique identifiers.

Casos

When to use it

Verify the integrity of a file downloaded from the internet — compare the publisher's SHA-256 with the one generated locally.
Generate a cache ETag for an API response — hashing the payload ensures invalidation only when the data actually changes.
Create a deterministic cache key (memoization) based on function parameters.
Debug a legacy system that uses MD5 — see exactly which hash is being generated.
Validate an incoming webhook with an HMAC-SHA256 signature — test locally before deploying your handler.

Método

How the computation works

The tool uses the browser's native Web Crypto API (window.crypto.subtle.digest), which implements NIST's FIPS 180-4 standards (SHA-1/224/256/384/512) and the MD5 algorithm per RFC 1321. Input text is converted to UTF-8 bytes before hashing — note that changing a single letter produces an entirely different hash (the avalanche effect). Hashes are deterministic: the same input always produces the same output. For security-critical use (passwords, tokens), MD5/SHA-1 are broken and should be replaced by Argon2id, bcrypt, or scrypt — algorithms intentionally slow and resistant to brute-force attacks. For integrity verification, SHA-256 remains secure and is the industry standard.

FAQ

Frequently asked questions

Can I use MD5 to store passwords?: No. MD5 has been cryptographically broken since 2008 — practical collision attacks exist. For passwords, use Argon2id (the current OWASP recommendation), bcrypt, or scrypt — algorithms designed to be slow, with automatic salting, and resistant to rainbow tables. MD5 is only acceptable for non-adversarial integrity verification (and even there, SHA-256 is better).
What's the difference between SHA-1, SHA-256, and SHA-512?: SHA-1 produces 160 bits, SHA-256 produces 256 bits, and SHA-512 produces 512 bits. SHA-1 is deprecated (Google demonstrated a practical collision in 2017). SHA-256 is today's industry standard — used in Bitcoin, SSL/TLS certificates, and Git internals. SHA-512 is slower but offers more bits — preferred in systems that need extra margin against future attacks.
Can a hash be reversed back to the original text?: No. Hashing is a one-way function — computing the hash of a text is fast, but given the hash, recovering the text requires brute-forcing every possible combination. For long hashes (SHA-256, SHA-512) this is computationally infeasible. However, hashes of common passwords or short phrases can be broken by rainbow tables if no salt is used.
Why does the same text always generate the same hash?: Because hashes are deterministic functions: identical input always produces identical output. That's exactly why they work for integrity verification — any change to the input produces a completely different output. To avoid predictability in password storage, always add a unique per-user salt before hashing.
What's the difference between hashing and encryption?: Hashing is one-way: it goes from text to digest but not back. Encryption is two-way: it uses a key to go from plaintext to ciphertext and back. Hashing is used for verification and identification; encryption is used for confidentiality. AES is the standard symmetric cipher; RSA is asymmetric; SHA-256 is a hash. Mixing them up is a serious mistake.
How do I generate an HMAC with SHA-256?: HMAC (Hash-based Message Authentication Code) combines a hash with a secret key to sign messages. This tool generates plain hashes; for HMAC, use the Web Crypto API with window.crypto.subtle.sign('HMAC', key, data). Webhooks from Stripe, GitHub, and Shopify use HMAC-SHA256 to authenticate incoming payloads.

Mais

Related tools

Fontes

Official sources

Tabelas, leis e referências consultadas para fundamentar esta ferramenta.

International standardRFC 1321 (1992)IETF · Internet Engineering Task Force
RFC 1321 — The MD5 Message-Digest Algorithm
Original specification for the MD5 cryptographic hash algorithm. Now considered broken for security use, but still used for integrity verification.
Consultar fonte oficial
U.S. federal standardFIPS 180-4 (2015)NIST · National Institute of Standards and Technology
FIPS 180-4 — Secure Hash Standard (SHS)
U.S. federal standard defining the SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 algorithms — the reference for cryptographic hashing in modern systems.
Consultar fonte oficial
Security guideCurrentOWASP Foundation
OWASP Password Storage Cheat Sheet
OWASP recommendations on choosing hash algorithms for passwords (Argon2, bcrypt, PBKDF2) and when to use SHA-256 vs. specialized hashing.
Consultar fonte oficial

Metodologia — esta ferramenta consulta as tabelas e legislação vigentes nas fontes acima. As regras são atualizadas conforme novas instruções normativas são publicadas pelos órgãos competentes.

Última verificação editorial: junho de 2026.

SponsoredQuorify · free plan

Quorify Pro

Use Quorify without limits

100 uses/day across all 125 tools · ad-free · extended history

Starting at$4.08/mo

See plans

Compartilhe

SponsoredQuorify · free plan

Quorify Pro

Use Quorify without limits

100 uses/day across all 125 tools · ad-free · extended history

Starting at$4.08/mo

See plans

Related tools

toolLayout.related_description

Pro

JSON to CSV

Export JSON data arrays perfectly into CSV spreadsheets.

Pro

JWT Decoder

Inspect and debug JSON Web Tokens payloads.

Free

CSS Minifier

Optimize CSS stylesheets for maximum speed.

Free

JS Minifier

Reduce vanilla Javascript payload size painlessly.

Free

HTML Minifier

Compress your HTML output removing dead space to save bandwith.

Free

Markdown Editor

Write and preview Github-flavored Markdown in real-time.

Hash Generator

Output format + HMAC

What is an MD5/SHA-1/SHA-256 hash generator?

When to use it

How the computation works

Frequently asked questions

Related tools

Official sources

RFC 1321 — The MD5 Message-Digest Algorithm

FIPS 180-4 — Secure Hash Standard (SHS)

OWASP Password Storage Cheat Sheet

Related tools

JSON to CSV

JWT Decoder

CSS Minifier

JS Minifier

HTML Minifier

Markdown Editor