VectoboxVectobox
Back to Developer Tools

Hash Generator

Privacy-first hash generator: MD5, SHA-1/256/384/512, SHA-3, Keccak-256, CRC-32 — text and files up to 4 GB, with HMAC, verify, and security badges. Zero upload.

Zero upload. Hashes computed locally.

Output format
Input encoding
0 bytes
MD5Broken
SHA-1Broken
SHA-256Secure
SHA-384Secure
SHA-512Secure
SHA3-256Secure
SHA3-512Secure
Keccak-256Secure
CRC-32Checksum
Show avalanche effect

One bit changed → most output bits flip.

SHA-256("vectobox")
1b80cd1495691f628778309bc95b404421f4379213e6a628478deb5debba8d02
SHA-256("vectobox!") — 58/64 chars different
058526f63d4e965c9aafccc7b81e9efece1e52885c89a1f327066a50e8acce06
Recent0

No recent hashes yet.

Nine algorithms, one input

Type or drop text and you see MD5, SHA-1, SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-512, Keccak-256 and CRC-32 update in real time. Switch to File mode and the same nine algorithms run incrementally on files up to 4 GB without leaving your browser.

Stream a 4 GB file without leaving the browser

We slice the file into 64 KB chunks and feed each chunk through every hash incrementally inside a Web Worker. Memory stays bounded, the UI never blocks, and there is no upload — the bytes never leave your device.

SHA3-256 vs Keccak-256 — pick the right one

Both algorithms use the same Keccak-f[1600] permutation. NIST changed the domain-separation byte (0x06 instead of 0x01) when standardizing SHA-3 in 2015. Ethereum had already deployed the original Keccak and kept it — using SHA3-256 on Ethereum data produces wrong results.

HMAC, in one paragraph

HMAC = Hash-based Message Authentication Code. Combine a secret key with a hash function and you get a fingerprint only key-holders can produce. AWS SigV4, GitHub webhooks, Stripe signatures and JWT HS256 all use HMAC-SHA-256. The construction `hash(opad ‖ hash(ipad ‖ msg))` is RFC 2104.

Frequently asked questions

Are my files or text uploaded?
No. All computation runs in your browser via Web Crypto and self-coded MD5 / SHA-3 / Keccak / CRC-32. No network call carries your data.
Why does the file mode support 4 GB?
We stream files in 64 KB chunks and hash incrementally inside a Web Worker. Memory stays bounded; the main thread never blocks.
What's the difference between SHA3-256 and Keccak-256?
Both use the Keccak permutation, but with different padding. NIST changed the suffix byte when standardizing SHA-3. Ethereum was deployed before the change and kept the original Keccak — using SHA3-256 on Ethereum data would produce wrong results.
Should I still use MD5?
Only for non-security checksums (file dedup, partition keys). For passwords, signatures, integrity-against-attacker, use SHA-256 or higher.
What is HMAC?
Hash-based Message Authentication Code — combines a secret key with a hash so the recipient can verify both integrity and authenticity. Used by AWS SigV4, GitHub webhooks, JWT HS256, Stripe signatures.
What does 'timing-safe comparison' mean?
A naive `a === b` short-circuits at the first byte that differs. An attacker measuring response time could leak the matching prefix byte-by-byte. Constant-time equality reads all bytes regardless.
What encoding should I pick for the input?
UTF-8 is the right answer for text. Use Hex or Base64 when the input is already encoded bytes (e.g. raw blockchain data, decoded JWT body).
Why is there no Argon2 / bcrypt?
Those are password hashing algorithms with separate trade-offs (memory-hardness, salt, work factor). They deserve a dedicated tool — coming later.

Related Tools

New

JWT Decoder

Decode JWT tokens to inspect header, payload, and signature. View algorithm, expiry, and issued-at times. Runs entirely in your browser.

New

Base64

Encode and decode Base64, Base64URL, percent-encoded URLs, and files (image/PDF preview included). UTF-8 safe, runs entirely in your browser.

New

Token Counter

Count tokens for GPT, Claude, Gemini and 20+ LLM models. 100% browser-based with exact GPT tokenization and calibrated estimates for other families.