Generate cryptographic hashes (MD5, SHA-1, SHA-256, SHA-512) for any text.
MD5: Fast but cryptographically broken. Use only for checksums, not security.
SHA-1: Also deprecated for security. Better than MD5 but still vulnerable.
SHA-256/512: Modern, secure algorithms. Use these for passwords, signatures, etc.
A cryptographic hash function takes input (text, file, data) and produces a fixed-size string (hash/digest). It's a one-way function—you can't reverse a hash to get the original data. Hashing is NOT the same as encryption.
Hashing: One-way. Cannot be reversed. Used for verification.
Encryption: Two-way. Can be decrypted with a key. Used for secrecy.
Wrong: "Hash my password to hide it" (it can be brute-forced)
Right: "Hash my password with bcrypt/Argon2 + salt for secure storage"
Status: Broken (collision attacks since 2004)
Speed: Very fast
Use for: Checksums, cache keys (non-security)
Don't use for: Passwords, signatures, certificates
Status: Deprecated (collision attacks since 2017)
Speed: Fast
Use for: Git commits (legacy), checksums
Don't use for: New security applications
Status: Secure and recommended
Speed: Fast enough
Use for: Digital signatures, certificates, blockchain, tokens
Security: No known vulnerabilities
Status: More secure than SHA-256
Speed: Slower, larger output
Use for: High-security applications, long-term storage
Bonus: Faster on 64-bit processors
// Downloaded file: ubuntu.iso
// Official SHA-256: a1b2c3d4e5f6...
// Generate hash of downloaded file:
sha256sum ubuntu.iso
// Output: a1b2c3d4e5f6...
// ✓ Hashes match = file is authentic and uncorruptedInput: "Hello World"
SHA-256: a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e
// Hash it 1000 times, always the same output
// Even 1 character change produces completely different hash:
Input: "Hello World!"
SHA-256: 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
// ↑ Completely different!// ❌ WRONG: Plain SHA-256 (vulnerable to rainbow tables) password = "secret123" hash = SHA256("secret123") // Attacker can brute-force or use rainbow tables// ✅ RIGHT: Use bcrypt/Argon2 with salt password = "secret123" hash = bcrypt.hash(password, saltRounds=12) // $2b$12$KIXfF7... (includes salt, computationally expensive)
No. Hashing is one-way by design. You cannot reverse it mathematically. However, you can brute-force guess (try millions of inputs until hash matches) or use rainbow tables (pre-computed hashes). This is why salt + slow algorithms (bcrypt) are crucial for passwords.
A collision is when two different inputs produce the same hash. MD5 has known collisions (two different files with same MD5). SHA-256 has no known collisions and is considered collision-resistant. In theory collisions exist (infinite inputs, finite outputs), but finding one for SHA-256 is computationally infeasible.
SHA-256 is too fast. Attackers can brute-force billions of hashes per second with GPUs. Use slow hashing (bcrypt, Argon2, scrypt) designed for passwords. These are intentionally slow (~100ms) making brute-force attacks impractical. Also always use a unique salt per password.
A salt is random data added to input before hashing. Example:
hash = SHA256(password + salt)
Why: Prevents rainbow table attacks. Even if two users have the same password, different salts mean different hashes.
Each password gets a unique salt stored alongside the hash.
const crypto = require('crypto');
// SHA-256
const hash = crypto
.createHash('sha256')
.update('Hello World')
.digest('hex');
console.log(hash); // a591a6d40bf...import hashlib
# SHA-256
hash_object = hashlib.sha256(b'Hello World')
hex_dig = hash_object.hexdigest()
print(hex_dig) # a591a6d40bf...# SHA-256
echo -n "Hello World" | sha256sum
# MD5
echo -n "Hello World" | md5sum
# Verify file
sha256sum file.iso