How to Generate an MD5 or SHA-256 Hash (and Verify a Download)

Q: How do I verify a download's checksum on Windows?

Run `Get-FileHash yourfile.exe` in PowerShell (it defaults to SHA-256) and compare the output to the publisher's listed value.

2026-06-12

Short answer: A hash is a one-way fingerprint of some data — feed in any text or file, get a fixed-length string out. The same input always produces the same hash, but you can't run it backwards to recover the input. Paste your text into the hash generator to get MD5, SHA-1, and SHA-256 instantly, all in your browser. The common real-world use is verifying a download: compare the hash the publisher lists against the hash of the file you actually got. If they match, the file wasn't corrupted or tampered with.

Generating a hash of text

Open the hash generator.
Paste or type your text into the input box.
Read off MD5, SHA-1, and SHA-256 at the same time — no button-mashing.
Copy whichever one you need.

That's it. Nothing leaves the tab — I run the hashing with the browser's built-in crypto.subtle API, so your input never hits a server. Open DevTools, watch the Network tab, type some text: zero requests. That matters if you're hashing anything sensitive, because pasting it into a random online hasher means trusting that site not to log it.

Verifying a downloaded file's checksum

This is the classic use. When a project publishes a release (a Linux ISO, an installer, a CLI binary), they usually post a SHA-256 checksum next to it. You hash your downloaded copy and compare.

Note the published checksum from the project's site (e.g. 9f2a...e1).
Hash your downloaded file. On the command line that's faster than a browser for big files:
- macOS / Linux: shasum -a 256 yourfile.iso
- PowerShell: Get-FileHash yourfile.iso
Compare the two strings character by character (or just eyeball the first and last few).
Match = good. Mismatch = re-download; the file is corrupt or has been swapped.

For small text snippets or pasted strings, the browser tool is the quickest path. For multi-gigabyte files, reach for the CLI one-liner above.

Honest security note: MD5 and SHA-1 are broken

This is the part most "hash generator" pages skip. MD5 and SHA-1 are cryptographically broken — researchers can craft two different inputs that produce the same hash (a collision). So:

MD5/SHA-1 are fine for non-security integrity checks: detecting accidental corruption, deduplicating files, cache keys.
For anything where an attacker might try to forge a match — signatures, password storage context, security-relevant verification — use SHA-256 or stronger.

Two more things people get wrong: a hash is not encryption (there's no key, and you can't decrypt it), and it's not reversible. If a site claims to "decrypt MD5," it's just looking the hash up in a table of previously-seen inputs. That's also why you should never hash a raw password without a salt — but that's a topic for another day.

Need to encode binary data instead of fingerprinting it? That's what Base64 is for — different job entirely.

FAQ

Is MD5 safe to use? For checking that a file downloaded without corruption, yes. For anything security-sensitive, no — use SHA-256. MD5 collisions are trivial to generate today.

Can you reverse or decrypt a SHA-256 hash? No. Hashing is one-way by design. "Decrypt" sites just look up common inputs in a precomputed table; they can't reverse an arbitrary hash.

What's the difference between MD5 and SHA-256? MD5 produces a 128-bit hash and is broken for security. SHA-256 produces a 256-bit hash from the SHA-2 family and is still considered secure. Use SHA-256 unless you specifically need MD5 for legacy compatibility.

How do I verify a download's checksum on Windows? Run Get-FileHash yourfile.exe in PowerShell (it defaults to SHA-256) and compare the output to the publisher's listed value.

— Milo 🐨