induwara.lk
induwara.lkDeveloper · Hashing

MD5 & SHA Hash Generator — in-browser, no upload

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 digests of any text or file — and the HMAC variants when you supply a secret key. Algorithms follow RFC 1321, FIPS 180-4, and RFC 2104 exactly. Files and keys never leave your browser tab.

By Induwara AshinsanaUpdated May 11, 2026
Hash generatorMD5 · SHA-1/256/384/512
Self-testing…

Runs entirely in your browser. Text, files, and HMAC keys are never uploaded — open DevTools' Network tab and watch it stay silent while you hash. Files larger than 52,428,800 bytes (50 MiB) are rejected client-side.

Text is encoded as UTF-8 bytes before hashing (WHATWG Encoding Standard).
Samples

HMAC (keyed hashing)

RFC 2104 keyed message authentication. Paste a shared secret and every algorithm switches to its HMAC variant — HMAC-SHA-256 of the input, computed in-browser.

Output encoding
Pick a sample, paste text, or drop a file to see five digests appear here.

Algorithms follow: RFC 1321 (MD5), FIPS 180-4 (SHA-1, SHA-2), RFC 2104 (HMAC). SHA-1/256/384/512 use W3C SubtleCrypto; MD5 (not in SubtleCrypto) is computed by a pure-JS routine that matches RFC 1321 §A.5 byte-for-byte. Verified 2026-05-11. (MD5=128b, SHA-1=160b, SHA-256=256b, SHA-384=384b, SHA-512=512b)

How it works

A cryptographic hash maps an input of any size to a fixed-size digest in a way that is fast to compute forward and infeasible to reverse. This page implements five standard digests plus their keyed (HMAC) variants, each one pinned to the authoritative specification it came from:

  1. MD5— Rivest's Message-Digest Algorithm, specified in RFC 1321. Produces a 128-bit (16-byte) digest. Browsers' SubtleCrypto deliberately omits MD5 (broken for collision-resistance since Wang & Yu 2005), so this page ships a pure-JavaScript implementation of the algorithm in Section 3.4 of the RFC, with the four 16-byte state words mixed by the 64 rounds and the T[i] = floor(2^32 × |sin(i+1)|) constant table. Verified against the Appendix A.5 test suite at startup.
  2. SHA-1 RFC 3174 / FIPS 180-4 §6.1. 160-bit digest, computed by the browser's crypto.subtle.digest("SHA-1", ...). A second, independent pure-JS implementation runs alongside it and the two outputs must agree byte-for-byte; that cross-check is wired into the green “Verified” badge above.
  3. SHA-256 — FIPS 180-4 §6.2. 256-bit digest, 64 rounds over 32-bit words. Test vector SHA-256("abc") = ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad from Appendix B.1 must reproduce exactly. This is the workhorse — use it whenever you can.
  4. SHA-384 / SHA-512 — FIPS 180-4 §6.4 / §6.5. 384-bit and 512-bit digests respectively, both processing 64-bit words across 80 rounds. SHA-384 is SHA-512 with different initial values and the output truncated, so on 64-bit hardware they cost essentially the same; pick SHA-384 only if your protocol mandates it (e.g. some TLS suites, certain interop targets).
  5. HMAC (RFC 2104) — when you flip the HMAC switch, every algorithm becomes a keyed MAC computed as H((K ⊕ opad) ∥ H((K ⊕ ipad) ∥ message)) where ipad = 0x36, opad = 0x5c, both repeated to the hash's block size (64 bytes for MD5 and SHA-256, 128 bytes for SHA-512). A key longer than the block size is replaced by H(key) first, per §2 of the RFC. HMAC-SHA-* uses crypto.subtle.sign("HMAC", ...); HMAC-MD5 is built around the pure-JS MD5 primitive on this page, because SubtleCrypto cannot do MD5 at all.

Text input is run through TextEncoder.encode (WHATWG Encoding Standard, UTF-8) before hashing, so Sinhala, Tamil, CJK, and emoji round-trip cleanly and produce the same digest as piping the same UTF-8 bytes into openssl dgst. File input is read as raw bytes — no encoding, no whitespace fix-ups — so the hash matches sha256sum / certutil -hashfile exactly.

Worked examples

SHA-256("abc") — the canonical FIPS 180-4 test vector

Text: "abc" (3 UTF-8 bytes: 0x61, 0x62, 0x63)

  1. TextEncoder.encode → Uint8Array [0x61, 0x62, 0x63]
  2. Pad to 512 bits: append 0x80, zero-fill, append 24 as big-endian 64-bit length
  3. Run 64 rounds with the FIPS 180-4 §6.2 round function
  4. Output (hex): ba7816bf8f01cfea414140de5dae2223
  5. b00361a396177a9cb410ff61f20015ad
  6. (matches FIPS 180-4 Appendix B.1 exactly)

MD5("") — the empty-input vector from RFC 1321 §A.5

Text: empty string (0 bytes)

  1. Pad to 512 bits: 0x80 followed by 55 zero bytes, then 0 as little-endian 64-bit length
  2. Run 64 MD5 rounds against the single padded block
  3. Output (hex): d41d8cd98f00b204e9800998ecf8427e
  4. Independently confirmed by RFC 1321 Appendix A.5
  5. Also confirms the implementation handles zero-length input correctly

HMAC-SHA-256("Hi There", 0x0b×20) — RFC 4231 §4.2 test 1

Message: "Hi There" (UTF-8); Key: 0x0b repeated 20 times

  1. Key length (20) < SHA-256 block size (64), so the key is right-padded with zeros to 64 bytes
  2. ipad = key XOR 0x36 → 64 bytes; opad = key XOR 0x5c → 64 bytes
  3. Inner = SHA-256(ipad ∥ "Hi There")
  4. HMAC = SHA-256(opad ∥ Inner)
  5. Output (hex): b0344c61d8db38535ca8afceaf0bf12b8
  6. 81dc200c9833da726e9376c2e32cff7
  7. (matches RFC 4231 §4.2 Test Case 1 exactly)

Frequently asked questions

Sources & references

The hash routines on this page were last cross-checked against the RFC 1321 §A.5 / FIPS 180-4 §B.1-§B.2 / RFC 2202 §2 / RFC 4231 §4.2 test vectors on 2026-05-11. Any algorithmic change bumps that date. If your digest differs from another tool, double-check the input encoding first (trailing newline, BOM, CRLF) — then email me below if it's still off.

Related tools

Rate this tool
Be the first to rate

Comments & feedback

Spotted a bug or want an improvement? Tell us — our team reviews every comment, and good ideas get built. Comments are public and anonymous.

Found a bug, edge case, or want to suggest an improvement?

Email me at [email protected] — most fixes ship within 24 hours.