Security & Dev

What Is a Hash Generator and How Does Hashing Work?

Convixy Blog · Security & Dev · 7 min read

What Is a Cryptographic Hash?

A cryptographic hash is a fixed-length string of characters produced by running any input — a word, a sentence, a file, an entire database — through a mathematical algorithm called a hash function. The output is always the same length regardless of how long the input is, and even the tiniest change in the input produces a completely different output.

Think of it as a fingerprint for data. Just as a human fingerprint uniquely identifies a person without revealing anything about their appearance, a cryptographic hash uniquely identifies a piece of data without revealing the data itself. And just as you cannot reconstruct a person from their fingerprint, you cannot reconstruct the original input from its hash — the process is deliberately one-way.

This one-way property is what makes hashing so useful in security. You can verify that data has not changed by comparing hashes, store proof that you possessed something without revealing what it was, and check passwords without ever storing the actual password.

Try it now: Use Convixy’s free Hash Generator to generate MD5, SHA-1, SHA-256 and SHA-512 hashes instantly, directly in your browser.

A Simple Example

The clearest way to understand hashing is to see it in action. Here is the same phrase hashed with three different algorithms:

Input Hello, World! MD5 65a8e27d8879283831b664bd8b7f0ad4 SHA-256 dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d SHA-512 374d794a95cdcfd8b35993185fef9ba368f160d8daf432d08ba9f1ed1e5abe6cc69291e0fa2fe0006a52570ef18c19def4e617c33ce52ef0a6e5fbe318cb0387

Notice that SHA-256 always produces 64 hexadecimal characters (256 bits), and SHA-512 always produces 128 hexadecimal characters (512 bits), regardless of whether the input is a single word or an entire novel. Now change just one character in the input — say, a lowercase ‘h’ instead of uppercase ‘H’ — and the hash output changes completely. This is called the avalanche effect and it is a fundamental property of all secure hash functions.

The Four Main Hashing Algorithms

Algorithm Output length Status Best used for
MD5 128 bits (32 hex chars) Legacy only Non-security checksums, legacy systems
SHA-1 160 bits (40 hex chars) Deprecated Legacy git commits; avoid for security
SHA-256 256 bits (64 hex chars) Recommended File integrity, digital signatures, certificates
SHA-512 512 bits (128 hex chars) Recommended High-security contexts, large data

MD5 and SHA-1 are both considered cryptographically broken — researchers have demonstrated that it is possible (with significant computing power) to craft two different inputs that produce the same hash output. This is called a collision attack and it undermines the core security guarantee. For any security-sensitive purpose, use SHA-256 or SHA-512. MD5 is still acceptable for quick file checksums where security is not the concern.

What Is a Hash Generator Used For?

File integrity verification

Download a file and compare its SHA-256 hash against the one published by the author. If they match, the file has not been tampered with or corrupted in transit.

Password storage

Databases store hashes of passwords, not the passwords themselves. When you log in, your input is hashed and compared to the stored hash — the real password is never saved.

Digital signatures

Documents are signed by hashing them and encrypting the hash with a private key. Anyone with the public key can verify the hash matches and the document is authentic.

Cache keys & deduplication

Developers hash content to generate consistent cache keys and detect duplicate files without comparing content byte by byte.

Blockchain & data structures

Each block in a blockchain contains the hash of the previous block, creating a tamper-evident chain where modifying any block would break all subsequent hashes.

Data integrity logging

Audit logs hash each log entry so any tampering with historical records is immediately detectable.

How to Use Convixy’s Hash Generator

The Convixy Hash Generator runs entirely in your browser. Your input is never sent to any server — the hashing happens locally on your device using the browser’s built-in Web Crypto API.

Hashing vs. Encryption: A Critical Distinction

Hashing and encryption are both security techniques that transform data, but they work in fundamentally different ways and serve different purposes. This distinction matters enormously and is a common source of confusion.

Hashing is one-way. Once data is hashed, the original input cannot be recovered from the hash. A hash is a verification tool, not a storage tool. You can use it to check that something is correct, but not to retrieve what was originally entered.

Encryption is two-way. Encrypted data can be decrypted back to the original with the correct key. Encryption is a storage and transmission tool — you use it when you need to recover the original data later.

The most common security mistake that leads to major data breaches is storing passwords as encrypted values rather than hashed values. If a database of encrypted passwords is stolen, the attacker can decrypt them using the encryption key (which is often stored on the same server). If passwords are properly hashed with a strong algorithm, there is nothing to decrypt — the attacker would need to guess every possible password and check whether its hash matches, which is computationally impractical for long, complex passwords.

Never store passwords as plain text or reversible encryption. Always hash passwords using a dedicated password hashing algorithm like bcrypt, Argon2 or PBKDF2 — not general-purpose hash functions like SHA-256. Use Convixy’s Bcrypt Hash Generator for password hashing specifically.

Why General Hashing Algorithms Are Not Enough for Passwords

SHA-256 and SHA-512 are fast. That is their great virtue for most use cases — and their critical weakness for password storage. A modern GPU can compute billions of SHA-256 hashes per second. This means that if an attacker obtains a database of SHA-256-hashed passwords, they can try billions of candidate passwords per second until they find matches.

Password-specific algorithms like bcrypt, Argon2 and PBKDF2 are deliberately slow and memory-intensive. They are designed to make each hash attempt take a meaningful amount of time (typically 100–500ms), which makes brute-force attacks billions of times more expensive. They also incorporate a salt — a random value added to each password before hashing — which prevents attackers from using precomputed lookup tables (rainbow tables) to crack multiple hashes at once.

For everything except password storage, SHA-256 or SHA-512 from the standard Hash Generator is the right tool. For passwords, use bcrypt.

How to Verify a File Using Its Hash

One of the most practical everyday uses of hashing is verifying that a downloaded file is authentic and unmodified. Software publishers typically publish the SHA-256 hash of their installer alongside the download link. Here is how to use it:

Why this works: It is computationally infeasible for a malicious actor to modify a file in a way that keeps the SHA-256 hash identical. Even replacing a single byte changes the entire hash output.

Generate a hash instantly

MD5, SHA-1, SHA-256 and SHA-512 — free, runs in your browser, nothing sent to any server.

Open Hash Generator →