What is a hash? MD5, SHA-256 and when you actually need HMAC
Hash functions turn any input into a fixed-length fingerprint, but not all hashes are created equal. Choosing between MD5, SHA-256, and HMAC means the difference between a working security check and one that fails silently. This guide explains what each does, when to use it, and how to verify your own hashes right in your browser.
What is a hash function?
A hash function takes any amount of data—text, a file, a password—and produces a fixed-length string of characters. The same input always produces the same output, which makes hashes useful for verification. Change even one character in the input, and the hash changes completely. This one-way property (you cannot reverse a hash to get the original data back) is what makes it useful for security.
MD5: fast but broken
MD5 produces a 128-bit hash and was once the standard for checksums and file verification. Today it is cryptographically broken—collisions (two different inputs producing the same hash) are fast to find. MD5 still appears in legacy systems and for non-security checksums, but never for authentication or passwords. Use the Hash generator to see MD5 output, but reach for SHA-256 for anything that matters.
SHA-256: the current standard
SHA-256 (part of the SHA-2 family) produces a 256-bit hash and is the modern choice for cryptographic work. It is fast enough for most applications, resistant to known attacks, and widely supported. You will see SHA-256 used in blockchain systems, certificate fingerprints, and password hashing. The Hash generator supports SHA-256 as its default algorithm.
HMAC: when you need a secret
A plain hash function is deterministic—anyone can verify the hash. An HMAC (Hash-based Message Authentication Code) mixes in a secret key, so only someone who knows the key can produce the correct hash. This is essential for APIs: the server and client share a secret, each signs their messages with it, and the recipient verifies that the signature matches. This proves the message came from the claimed sender and has not been tampered with. The HMAC generator lets you test this with your own secret key.
When to use each approach
- Use plain
SHA-256for file integrity checks, password hashing (with salt and a slow function like bcrypt), and public fingerprinting. - Use
HMACfor API request signing, webhook verification, and any scenario where both parties share a secret. - Skip
MD5for anything security-related. Use it only when interacting with legacy systems that require it.
Your data stays on your device
Both the Hash generator and HMAC generator run entirely in your browser. Your text is never sent to a server—it is hashed locally on your device, works offline after the page loads, and requires no account or login. This means you can safely hash sensitive information like API keys for testing without exposing them to the internet.
Bonus: measure entropy
If you are generating secrets or passwords, the Shannon entropy calculator shows how much randomness (and therefore security) is in a string. Higher entropy means harder to guess. Use it to verify that your generated secrets are actually random before deploying them.