A Digital Fingerprint
A hash function takes an input of any length — a single character, a paragraph, an entire file — and produces a fixed-length output called a hash, digest, or checksum. The same input always produces the same hash. Even a tiny change in the input produces a completely different hash.
For example, the SHA-256 hash of "hello" is:
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
Change one letter to "Hello" (capital H) and the hash becomes:
185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969
Completely different. There is no relationship between the two hashes that would let you guess one from the other.
Properties of Cryptographic Hash Functions
Deterministic. The same input always produces the same hash. This is what makes verification possible.
Fast to compute. Generating a hash from any input takes a fraction of a second, regardless of input size.
One-way. Given a hash, it is computationally infeasible to determine the original input. You cannot "unhash" a hash.
Collision-resistant. It is extremely difficult to find two different inputs that produce the same hash. For SHA-256, the probability is so small it is effectively impossible.
Avalanche effect. A small change in the input causes a dramatic change in the hash. This prevents anyone from determining how similar two inputs are by comparing their hashes.
Common Hash Algorithms
MD5 — Produces a 128-bit (32-character hex) hash. Fast but broken for security purposes — researchers have demonstrated practical collision attacks. Still used for non-security checksums (verifying file downloads, deduplication).
SHA-1 — Produces a 160-bit (40-character hex) hash. Also considered broken for security since 2017 when Google demonstrated a collision. Still used in legacy systems but should not be used for new applications.
SHA-256 — Part of the SHA-2 family. Produces a 256-bit (64-character hex) hash. Currently the standard for most security applications. Used in SSL/TLS certificates, Bitcoin, and software signing.
SHA-512 — Also SHA-2 family. Produces a 512-bit (128-character hex) hash. Marginally more secure than SHA-256 and faster on 64-bit systems.
Real-World Uses
Password storage. Websites do not (should not) store your password in plain text. They store a hash of your password. When you log in, the system hashes what you type and compares it to the stored hash. If they match, you entered the correct password. If the database is breached, attackers get hashes, not passwords.
File integrity. Software download pages often list the SHA-256 hash of each file. After downloading, you hash the file locally and compare. If the hashes match, the file was not corrupted or tampered with during download.
Data deduplication. Cloud storage services hash uploaded files. If two users upload the same file, the hashes match and the system stores only one copy.
Digital signatures. Rather than signing an entire document (which would be slow), the signer hashes the document and signs the hash. The signature verifies both the signer's identity and the document's integrity.
Version control. Git identifies every commit, file, and tree by its SHA-1 hash. This is how Git detects changes and ensures repository integrity.
How to Use the Toobits Hash Generator
Enter text and see its hash instantly in MD5, SHA-1, SHA-256, and SHA-512. Compare hashes to verify data integrity, generate checksums for files, or learn how different inputs produce different hashes. Everything runs in your browser — your data never leaves your device.