What is the difference between MD5 and SHA-256?

MD5 produces a 128-bit (32-character hex) hash and is fast but cryptographically broken — it should only be used for non-security purposes like file integrity checks. SHA-256 produces a 256-bit (64-character hex) hash, is slower, and is still considered secure for cryptographic use like password hashing and digital signatures.

Can I reverse a hash to get the original input?

No. Hash functions are one-way — you cannot derive the original input from the hash. However, attackers can try common inputs (dictionary attacks) or precomputed tables (rainbow tables) to find matches. Always salt password hashes to defeat these attacks.

Why do people use hashes to verify downloads?

A download's hash uniquely fingerprints its contents. If the file is tampered with or corrupted during transfer, its hash will not match the published one. Comparing hashes gives mathematical proof that the file you received is identical to the file the publisher made available.

Is SHA-1 still safe to use?

No. SHA-1 has been demonstrated insecure against collision attacks since 2017. Use SHA-256 or SHA-512 for new projects. SHA-1 is only acceptable for legacy compatibility (old Git, some certificates) where a replacement has not been made yet.

April 16, 20268 min read

How to Generate MD5, SHA-1, and SHA-256 Hashes Online (Free)

You downloaded a large file and want to confirm it was not tampered with. You are comparing two text inputs and need a fast way to know if they are identical without showing them to anyone. You are storing passwords in a database and need a one-way fingerprint. All three situations call for the same tool: a cryptographic hash.

This guide explains what hashes are, the difference between MD5, SHA-1, and SHA-256, when to use each, and how to generate hashes online using PDFFlare's free Hash Generator.

What Is a Hash?

A cryptographic hash function takes any input — a password, a file, a paragraph — and produces a fixed-length “fingerprint” that uniquely represents it. Three key properties:

Deterministic: The same input always produces the same hash. Always.
One-way: You cannot reverse a hash back to the original input. Unlike Base64, hashing is not encoding — it is irreversible.
Avalanche effect: Changing a single character in the input produces a completely different hash. No partial similarity.

How to Generate a Hash (Step by Step)

Open the tool: PDFFlare's Hash Generator.
Paste your input: Any text — a password, a sentence, or JSON data.
Pick an algorithm: MD5, SHA-1, SHA-256, SHA-384, or SHA-512.
View and copy the hash: Output appears instantly. One-click copy to clipboard.

MD5 vs SHA-1 vs SHA-256: Which One to Use

MD5 (128-bit, 32 hex chars)

MD5 produces a 32-character hex string: 5d41402abc4b2a76b9719d911017c592. It is fast, widely supported, and completely broken for security purposes — collisions (different inputs producing the same hash) can be generated in seconds on modern hardware.

Safe for: Non-security integrity checks, cache keys, de-duplication, checksums for detecting accidental corruption.

Do not use for: Passwords, digital signatures, any adversarial scenario.

SHA-1 (160-bit, 40 hex chars)

SHA-1 produces a 40-character hex string. It was the standard through the 2000s but is now officially broken — Google publicly demonstrated a SHA-1 collision in 2017. TLS certificates stopped using it in 2016.

Safe for:Git commit hashes (they do not rely on SHA-1's collision resistance), legacy checksums.

Do not use for: Anything new. Use SHA-256 instead.

SHA-256 (256-bit, 64 hex chars)

SHA-256 is the current industry standard for general cryptographic use. It is used by TLS certificates, Bitcoin, Git tags, JWT signatures, and checksum files on software release pages. No known collision attacks exist against SHA-256.

Safe for: Password hashing (with a proper algorithm like bcrypt/Argon2 on top — never use raw SHA-256 for passwords), file integrity checks, digital signatures, blockchain applications.

SHA-384 and SHA-512

Longer variants of the SHA-2 family. Same security level as SHA-256 in practice, but longer outputs for systems that require them. Rarely needed for everyday use.

Common Use Cases for Hashes

File Integrity Verification

When you download Ubuntu, Node.js, or any major open-source release, the project publishes a SHA-256 hash alongside the download. After downloading, you compute the SHA-256 hash of the file and compare. Match means the file is intact; mismatch means corruption or tampering.

Password Storage (Indirectly)

You should never store raw passwords. Instead, store the hash — and when a user logs in, hash their input and compare. That way, a database breach does not leak passwords.

Critical caveat: raw SHA-256 is not good enough for password hashing. Use a purpose-built password hashing algorithm like bcrypt, Argon2, or scrypt. These are intentionally slow and salted to resist brute-force attacks.

Content Addressing

Git identifies every commit, tree, and blob by its SHA-1 hash. IPFS (the InterPlanetary File System) uses SHA-256 for the same purpose. Content-addressed storage means identical content always has the same address — enabling perfect deduplication.

Cache Keys and Deduplication

Hash the contents of an asset (CSS, JS, image), use the hash as part of the filename (e.g., main.a1b2c3d4.js), and set long cache headers. When the content changes, the hash changes, the URL changes, and browsers pick up the new version automatically.

Digital Signatures and JWTs

Digital signatures start with a hash of the content, then encrypt the hash with the signer's private key. JWTs sign their payload with HMAC-SHA-256 (HS256), producing a signature that can be verified but not forged without the secret.

Password Hashing Best Practices

Never use raw MD5, SHA-1, or SHA-256 for passwords. They are too fast — modern GPUs compute billions of hashes per second, making brute force trivial.
Use bcrypt, Argon2, or scrypt. These are designed to be slow and memory-hard, resisting GPU attacks.
Always salt passwords. A salt is a random value prepended to the password before hashing, preventing rainbow table attacks. The hashing library handles this automatically.
Hash server-side, not client-side. Client-side hashing does not protect against server compromise and actually creates new attack vectors.

Verifying File Downloads: Step by Step

Example: verifying a downloaded Node.js installer.

On the Node.js download page, note the published SHA-256 hash next to the file (usually in a SHASUMS256.txt file).
Compute the SHA-256 of your downloaded file. On macOS/Linux: shasum -a 256 node-v22.x.x.pkg. On Windows PowerShell: Get-FileHash -Algorithm SHA256 node.pkg.
Compare the two hashes character-by-character. If they match, the file is exactly what the Node.js team published. If not, redownload and try again.

Privacy Note

Many online hash generators send your input to a server. That is fine for public test strings — but risky for anything sensitive (API tokens, internal data, partial passwords). PDFFlare's Hash Generator runs entirely in your browser using the native Web Crypto API. Your input never leaves your device.

Common Hash Generation Mistakes

Using MD5 or SHA-1 for security. Both are cryptographically broken — collisions can be generated on consumer hardware. Use SHA-256 or SHA-3 for any security- sensitive context. MD5/SHA-1 are still acceptable for non- adversarial integrity checks (e.g. CDN cache keys).
Hashing passwords directly. Plain hashing (even SHA-256) is too fast — modern GPUs can try billions of password guesses per second. Use a slow hash function specifically designed for passwords: bcrypt, scrypt, Argon2, or PBKDF2 with high iteration counts.
Forgetting to use a salt. Two users with the same password should get different hashes. Add a unique random salt per user (16+ bytes) before hashing, store the salt alongside the hash. Without salt, attackers can use rainbow tables.
Comparing hashes with == instead of constant-time compare. String equality short-circuits on the first differing byte, which leaks timing information. Use a constant-time comparison function (crypto.timingSafeEqual in Node, hmac.compare_digest in Python).
Mixing case-sensitive vs case-insensitive comparison. Hex hash output may be uppercase or lowercase depending on tool. Always lowercase both sides before comparing, or both uppercase. Mismatched case = false mismatch.
Hashing the same content twice expecting different results. Hashes are deterministic. Same input always produces same output. If you need different outputs (e.g. unique session IDs), include a nonce or timestamp in the input.

Hash Algorithm Recommendations by Use Case

File integrity (downloads, backups): SHA-256. Standard, widely supported, secure enough for non-adversarial integrity verification.
Git commits:Git uses SHA-1 historically; modern Git is migrating to SHA-256. Both work for repo integrity since they're not used for secrets.
Password storage: Argon2id (recommended new choice), bcrypt (well-established), or scrypt. Never plain SHA-256.
API request signing (HMAC): HMAC-SHA256 is the standard. Modern APIs almost universally use this.
Data deduplication and caching: SHA-256 if collisions matter; MD5 or even xxHash (much faster, not cryptographic) for performance-sensitive non-adversarial cases.
Cryptographic signatures: SHA-256 or SHA-3-256, paired with a signature algorithm (ECDSA, Ed25519, RSA).

Workflow Notes Beyond the Basics

Hashing is the workflow you reach for when you need to verify file integrity, generate cache keys, or implement security primitives without rolling your own crypto. The deeper point underneath all of this is that workflow tools earn their place not in the simple cases but in the cases where defaults fail. The simple cases are easy: drag, drop, click convert, done. The interesting cases are the ones where the defaults produce output that does not quite work, and the difference between a tool that survives a year of daily use and one that gets replaced is whether it gives you the knobs needed to handle those edge cases without leaving the tool. PDFFlare is built around that observation: every tool exposes the options that matter, the defaults work for ninety percent of cases, and the remaining ten percent have a clear path forward without requiring a different application or a complicated workflow. Try the tool on a real piece of work, identify where the defaults could be better for your specific use case, and adjust the relevant option. After a few iterations, you have a setting profile that matches your work better than any out-of-the-box default could, and the tool stops being a generic utility and starts being your tool, customized for what you actually do. That gradient — from generic utility to personalized tool — is the real value, and the time spent on the calibration pays back in every subsequent use of the tool over years of work.

Wrapping Up

Hashes are one of the most versatile tools in software: file integrity checks, password storage (with proper algorithms), content addressing, cache keys, digital signatures. For modern work, SHA-256 is the default. MD5 is fine for non-security checksums. SHA-1 is legacy only. PDFFlare generates all of them free, browser-based.

Useful Companion Tools

Two more PDFFlare tools that pair well with this workflow:URL Encode/Decode and QR Code Generator. Both are free, browser-based, and require no signup — same as the tool covered in this guide.

Related Workflows

Adjacent tools you might find useful while working through this guide: Hash Generator and Base64 Encode/Decode. They handle different parts of the same workflow and pair naturally with what we've covered here.

Related Tools

Base64 Encode/Decode — encode hash outputs as Base64
URL Encode/Decode — URL-encode hash values for safe transport
JSON Formatter — format JSON payloads before hashing