Hash Generator — How to Generate MD5, SHA-256, SHA-512 Hashes Online
Every time you download software, verify an API webhook, or check whether a file has been tampered with, you are relying on hash functions. They are the silent foundation of data integrity across the entire internet. Yet most people reach for a hash tool only when they need one urgently — verifying a download checksum, debugging an HMAC signature, or comparing two files.
This guide covers what hash functions are, how to generate them for text and files, how HMAC works for API authentication, and how to implement hashing in your own code. By the end you will understand the five major algorithms and know exactly when to use each one.
What Is a Hash Function?
A cryptographic hash function takes any input — a string of text, a file, or a stream of bytes — and produces a fixed-length output called a digest or checksum. The same input always produces the same hash. Even a single character change in the input produces a completely different hash. And critically, the process is one-way: you cannot reverse a hash to recover the original input.
Hash functions are used everywhere: verifying file integrity after downloads, storing passwords securely, authenticating API requests with HMAC signatures, detecting duplicate data in content-addressable storage, and signing digital certificates. If you work in development, DevOps, or security, you encounter hashes daily.
How to Generate Hashes with FlipMyCase
The fastest way to hash text or verify a file checksum is the browser-based tool:
- Open the FlipMyCase Hash Generator.
- Type or paste text into the input field — MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes appear in real time.
- To hash a file, drop it onto the file upload area or click to select it.
- Enable Compare Hash mode and paste a known checksum to verify a match.
- For keyed hashing, enable HMAC Mode and enter your secret key.
Everything runs in your browser using the Web Crypto API. Your text and files never leave your device.
Code Examples for Generating Hashes
JavaScript (Node.js)
const crypto = require('crypto');
function generateHashes(input) {
const algorithms = ['md5', 'sha1', 'sha256', 'sha384', 'sha512'];
const results = {};
for (const algo of algorithms) {
results[algo] = crypto.createHash(algo).update(input).digest('hex');
}
return results;
}
const hashes = generateHashes('Hello, World!');
console.log('MD5: ', hashes.md5);
console.log('SHA-256:', hashes.sha256);
console.log('SHA-512:', hashes.sha512);
// HMAC example
const hmac = crypto.createHmac('sha256', 'my-secret-key')
.update('webhook-payload')
.digest('hex');
console.log('HMAC-SHA256:', hmac);
Python
import hashlib
import hmac as hmac_lib
def generate_hashes(text):
data = text.encode('utf-8')
return {
'md5': hashlib.md5(data).hexdigest(),
'sha1': hashlib.sha1(data).hexdigest(),
'sha256': hashlib.sha256(data).hexdigest(),
'sha384': hashlib.sha384(data).hexdigest(),
'sha512': hashlib.sha512(data).hexdigest(),
}
hashes = generate_hashes('Hello, World!')
for algo, digest in hashes.items():
print(f'{algo:>7}: {digest}')
# HMAC example
signature = hmac_lib.new(
b'my-secret-key',
b'webhook-payload',
hashlib.sha256
).hexdigest()
print(f'HMAC-SHA256: {signature}')
Go
package main
import (
"crypto/hmac"
"crypto/md5"
"crypto/sha1"
"crypto/sha256"
"crypto/sha512"
"fmt"
)
func main() {
data := []byte("Hello, World!")
fmt.Printf("MD5: %x\n", md5.Sum(data))
fmt.Printf("SHA-1: %x\n", sha1.Sum(data))
fmt.Printf("SHA-256: %x\n", sha256.Sum256(data))
fmt.Printf("SHA-512: %x\n", sha512.Sum512(data))
// HMAC-SHA256
mac := hmac.New(sha256.New, []byte("my-secret-key"))
mac.Write([]byte("webhook-payload"))
fmt.Printf("HMAC: %x\n", mac.Sum(nil))
}
Real-World Use Cases
Verifying software downloads. Software publishers provide SHA-256 checksums alongside their releases. After downloading, drop the file into the Hash Generator, enable Compare Hash mode, and paste the published checksum. A green match confirms the file was not corrupted or tampered with during transfer. This is standard practice for Linux ISOs, development tools, and security software.
Authenticating API webhooks. Services like Stripe, GitHub, and Shopify sign webhook payloads with HMAC-SHA256. Your server receives the payload and a signature header. You compute HMAC-SHA256 of the payload using your secret key and compare it to the header value. A match proves the request came from the real service. Use the HMAC mode in FlipMyCase to debug signature mismatches.
Data deduplication and caching. Content-addressable storage systems like Git use SHA-1 hashes as file identifiers. If two files produce the same hash, they are identical — no byte-by-byte comparison needed. This same principle powers CDN cache keys, build artifact caching, and database deduplication layers.
Integrity auditing. Store a SHA-256 hash alongside important documents, contracts, or database exports. Recompute the hash later to verify the data has not been modified. This is essential for compliance workflows, legal discovery, and chain-of-custody documentation.
Common Mistakes and Gotchas
The most dangerous mistake is using MD5 or SHA-1 for security purposes. MD5 has been broken since 2004 — attackers can generate deliberate collisions. SHA-1 was practically broken in 2017. Both are fine for non-security uses like cache keys and quick deduplication, but never use them for verifying software integrity or storing password hashes.
Another common error is confusing hashing with encryption. Hashing is one-way and irreversible. Encryption is two-way and reversible with a key. If you need to recover the original data, you need encryption (AES, RSA), not hashing.
Encoding mismatches cause subtle bugs. The SHA-256 hash of the string "hello" depends on whether it is encoded as UTF-8, UTF-16, or ASCII. Make sure your tool and your code use the same encoding, or you will get different hashes for the same text.
For password storage, never use SHA-256 or MD5 directly. They are too fast — attackers can test billions of guesses per second. Use bcrypt, scrypt, or Argon2, which are deliberately slow and memory-intensive.
Frequently Asked Questions
What is the difference between MD5, SHA-256, and SHA-512? MD5 produces a 128-bit (32 hex character) hash and is fast but cryptographically broken. SHA-256 produces a 256-bit (64 hex character) hash and is the current industry standard for security applications. SHA-512 produces a 512-bit (128 hex character) hash and offers even more collision resistance. Use SHA-256 unless you have a specific reason to choose otherwise.
What is HMAC and how is it different from a regular hash? HMAC (Hash-based Message Authentication Code) combines a secret key with the hash function. A regular hash only proves data integrity — anyone can compute it. HMAC adds authentication: only someone who knows the secret key can produce the correct hash. This is why APIs use HMAC for webhook signatures.
Can I hash large files in the browser? Yes. The Hash Generator uses the Web Crypto API to hash files entirely in your browser. Modern browsers handle files of several hundred megabytes in seconds. For very large files (1 GB+), there may be a brief delay, but no data is ever uploaded.
Is my data sent to a server? No. All hashing runs entirely in your browser. Text uses the Web Crypto API for SHA algorithms and a JavaScript implementation for MD5. Files are read locally and processed without any network request. The tool works offline as a PWA.
Conclusion
Hash functions are fundamental to modern computing — from verifying downloads and authenticating APIs to deduplicating data and auditing file integrity. Understanding which algorithm to use and how to implement hashing correctly saves debugging time and prevents security mistakes.
For quick text and file hashing, the FlipMyCase Hash Generator computes all five algorithms simultaneously with HMAC support and built-in comparison. For production code, use the JavaScript, Python, or Go examples above. And if you need to encode strings before hashing, check out the String Encoder for Base64, URL, and HTML entity encoding.