Free hash generator

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes, sign a message with HMAC, or hash a password with bcrypt. The text you enter is hashed on your device and never sent to a server. You never sign in, and the page keeps nothing.

Copied to clipboard

How the hash generator works

Runs entirely in your browser

1

Choose an algorithm

Pick a plain hash such as SHA-256, an HMAC signed with a secret key, or bcrypt when you are storing a password.

2

Enter your text

SHA and HMAC digests are computed by your browser's built-in cryptography as you type. Nothing you enter is sent anywhere.

3

Copy the result

Copy the hex digest, or check a password against an existing bcrypt hash with the verify box.

Private by design: nothing leaves your browser

Most online hash generators post your text to a server. That is harmless for the word "hello" and careless for an API secret or a password, and you cannot tell from the outside which one you are using. This one computes everything locally:

01

100% client-side

SHA and HMAC digests come from your browser's built-in cryptography. MD5 and bcrypt need a small library, downloaded once when you first select them, and nothing you type is part of that request.

02

Nothing stored or logged

No account, no analytics on what you hash, no history. Reload the page and the text is gone from memory.

03

Open and verifiable

The digests match the published test vectors for each algorithm, so you can check this tool against any other implementation and get the same answer.

Which algorithm to use

  1. SHA-256 is the default for signatures, integrity checks, and content addressing.
  2. HMAC-SHA-256 is for proving a message came from someone holding a shared secret, such as a webhook signature.
  3. bcrypt is for storing passwords, because it is deliberately slow and salts every hash. Never store a password as a plain SHA-256 digest.
  4. MD5 and SHA-1 are broken for collision resistance and belong only in checksums or legacy systems you cannot change.

Built for developers and security-conscious teams

Developers who want a digest they can trust, computed somewhere they control. BlockSurvey takes the same position on research data with zero-knowledge surveys, where responses are encrypted before they ever reach a server.

Developers

Check a file checksum, reproduce a webhook signature, or generate a bcrypt hash for a seed user without pasting the secret into someone's server.

Security & IT teams

Confirm an integrity hash during an incident, and demonstrate to a colleague why a SHA-256 password hash is not enough.

Students & educators

Watch the avalanche effect as one character changes the whole digest, and compare bcrypt's salted output across runs.

Building something that handles sensitive data?

BlockSurvey runs on zero-knowledge surveys, so the responses you collect are never sold or mined. Responses are encrypted on the respondent's device, so the server stores nothing readable.

Frequently asked questions

Is this hash generator free?

Yes, completely free with no sign-up and no limit on how much text you hash.

Does what I type get sent to a server?

No. The text, the secret key, and the password stay in your browser and are never transmitted, logged, or stored. SHA and HMAC hashes are computed by your browser's built-in cryptography. MD5 and bcrypt need a small library, which the page downloads once the first time you select them; nothing you type is part of that request.

Should I still use MD5 or SHA-1?

Not for anything security related. Both are broken for collision resistance: an attacker can construct two different inputs with the same hash, cheaply for MD5 and expensively but demonstrably for SHA-1. They remain acceptable as non-security checksums, for example verifying that a file transferred without corruption, or matching a legacy system that already uses them. Use SHA-256 for anything new.

What is the difference between a hash and an HMAC?

A hash takes one input and produces a fingerprint that anyone can recompute. An HMAC takes an input and a secret key, so only someone holding the key can produce or verify the result. Use an HMAC when you need to prove a message came from someone who knows the secret, such as signing a webhook payload.

Why should I hash passwords with bcrypt rather than SHA-256?

Because SHA-256 is designed to be fast, and an attacker with a stolen database wants speed. A modern graphics card computes billions of SHA-256 hashes per second, so common passwords fall almost immediately. bcrypt is deliberately slow and its cost factor is adjustable, so you can keep hashing expensive as hardware improves. It also salts every hash automatically.

Why is the bcrypt hash different every time I click?

Because bcrypt generates a fresh random salt for every hash, and stores that salt inside the output string. Two identical passwords therefore produce two different hashes, which stops an attacker from spotting that two users share a password, and defeats precomputed rainbow tables. Use the verify box to confirm that a password matches an existing hash.

Which bcrypt cost factor should I choose?

Pick the highest cost your server can tolerate at login time, usually 12 as of today. Each increment doubles the work: cost 12 takes roughly a quarter of a second on typical hardware, cost 14 takes about a second. Cost 10 is the old default and is now on the low side for anything valuable.

Can I use this offline?

Yes. Load the page, select the algorithm you want at least once so its code is fetched, then disconnect from the internet. Everything keeps working, because the hashing runs in your browser.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.