File Hash Generator
Generate online file hashes with MD5, SHA-1, SHA-2, SHA-3, or RIPEMD-160 and compare exact digests to verify downloads, backups, archives, and handoffs.File digest
| # | File | Size | Algo | Salt | Pos | Hash | Copy |
|---|---|---|---|---|---|---|---|
| {{ r.idx }} | {{ r.name }} | {{ r.size_human }} | {{ r.hash_type }} | {{ r.salt ? 'Yes' : 'No' }} | {{ r.salt ? (r.salt_position === 'prefix' ? 'Prefix' : 'Suffix') : '—' }} | {{ r.digest }} | |
| No history yet. | |||||||
By copying or publishing this embed code, you are responsible for how the tool appears and is used on your website.
- The embedded tool is provided for general informational and utility purposes only. It is not professional, legal, financial, medical, safety, or compliance advice.
- Results depend on the inputs, browser behavior, available data sources, and the current version of the tool. Review important results before relying on them.
- You are responsible for the surrounding page context, labels, instructions, privacy notices, accessibility, and any laws or policies that apply to your website.
- Do not embed the tool in a misleading, unlawful, harmful, or security-sensitive context.
- Simplified Tools may update, limit, suspend, or remove tools and embed behavior without prior notice.
- Analytics, network requests, cookies, browser storage, third-party services, and query parameters may apply depending on the tool and the embedding page.
If these terms do not work for your use case, do not embed the tool.
Introduction
File hashes are fixed-length digests calculated from the exact bytes inside a file. They matter whenever the real question is not whether a file looks right, but whether it is exactly the same file. A single changed byte in an installer, archive, backup, firmware image, or evidence file produces a different digest, which is why checksum lists are a common first-line integrity check.
A digest comparison is narrow but powerful. If two parties use the same algorithm on the same byte stream and get the same digest, the file contents match byte for byte. That is useful for catching corruption, incomplete transfers, silent storage errors, and many forms of accidental or malicious modification. It does not prove who created the file, whether the delivery channel was trustworthy, or whether the file is safe to open.
Different hash families solve the same integrity problem with different designs and digest sizes. Older checksum manifests still expose MD5 or SHA-1, while current security guidance prefers SHA-2 or SHA-3 for new security-sensitive work. That does not mean one family can stand in for another during comparison. A published SHA-256 checksum must be checked with SHA-256, not with SHA-512, SHA3-256, or any other digest that happens to look similar.
Salt changes the meaning of a digest by changing the bytes being hashed. The moment extra text is added before or after the file content, the result becomes a digest of file plus agreed extra data rather than a plain file checksum. That can be useful in private workflows, but it is not interchangeable with the unsalted checksum a vendor or storage system publishes for ordinary verification.
The safest mental model is simple: a matching digest answers an identity question about bytes, not a trust question about people or software. That boundary keeps checksum verification useful without asking it to do the job of signatures, authenticated distribution channels, or malware scanning.
Technical Details:
A cryptographic hash function maps input bytes of any practical length to a fixed-length digest. Good hash functions are deterministic, so the same bytes always produce the same result, and they are designed so that even tiny input changes avalanche into a very different digest. For security use, the main goals are collision resistance, preimage resistance, and second-preimage resistance. For everyday file checking, those ideas collapse into one practical rule: comparison is only meaningful when the byte stream and the algorithm are the same.
That rule explains why checksum work is stricter than it first appears. Renaming a file does not matter because the bytes stay the same. Changing the algorithm matters because the digest family changes. Adding a salt matters because the hashed byte stream changes. Moving the same salt from the front to the back matters too, because salt plus file and file plus salt are different byte sequences.
| Family | Variant | Digest bits | Hex characters | Practical note |
|---|---|---|---|---|
| MD5 | MD5 | 128 | 32 | Legacy compatibility and accidental-corruption checks only. |
| SHA-1 | SHA-1 | 160 | 40 | Legacy checksum and older record formats; not a good choice for new security use. |
| SHA-2 | SHA-224 | 224 | 56 | Less common shortened SHA-2 variant. |
| SHA-2 | SHA-256 | 256 | 64 | The usual broad-compatibility default for new checksum sharing. |
| SHA-2 | SHA-384 | 384 | 96 | Longer SHA-2 digest used in some security workflows. |
| SHA-2 | SHA-512 | 512 | 128 | Long SHA-2 digest often seen in platform or archival tooling. |
| SHA-3 | SHA3-224 | 224 | 56 | Fixed-length SHA-3 option for modern workflows that specify it. |
| SHA-3 | SHA3-256 | 256 | 64 | Modern 256-bit SHA-3 digest when a manifest or policy asks for SHA-3. |
| SHA-3 | SHA3-384 | 384 | 96 | Longer fixed-length SHA-3 option. |
| SHA-3 | SHA3-512 | 512 | 128 | Longest fixed-length SHA-3 digest in the current set. |
| RIPEMD | RIPEMD-160 | 160 | 40 | Compatibility option for older checksum ecosystems that still name it. |
Digest length is useful because it often exposes the first mistake quickly. A 64-character hexadecimal result is consistent with a 256-bit digest. A 40-character reference alongside a 128-character result usually points to a different algorithm selection, not to a subtle integrity problem. In practice, matching the named algorithm is just as important as matching the file itself.
| Change or condition | Does the byte stream stay the same? | Should the digest stay the same? | Why it matters |
|---|---|---|---|
| Same file bytes, same algorithm, no salt in both cases | Yes | Yes | This is the ordinary checksum-verification path. |
| Filename changes but the bytes do not | Yes | Yes | The digest is about file content, not the filename. |
| Algorithm changes from one family to another | No comparable method | No | Each algorithm defines a different digest function. |
| Salt text is added or removed | No | No | The salt becomes part of the hashed input. |
| The same salt moves from prefix to suffix | No | No | Byte order changes, so the digest changes too. |
| Hex letters are shown in uppercase instead of lowercase | Yes | Yes | Case changes only the display text, not the underlying value. |
| The downloaded or stored bytes are incomplete or altered | No | No | This is the mismatch a checksum is meant to reveal. |
Current standards guidance matters most when you are choosing a checksum format rather than merely matching an existing one. NIST continues to approve SHA-2 and fixed-length SHA-3 for secure-hash use, and its current policy does not require a general move away from SHA-2 just because SHA-3 exists. SHA-1 is on a retirement path, and MD5 has long been unsuitable wherever collision resistance against an attacker matters. In plain terms, legacy digests still appear in old manifests and compatibility checks, but new trust-sensitive workflows should favor SHA-2 or SHA-3.
That leaves one practical recommendation for new cross-system checksum sharing: SHA-256 is usually the safest default unless another algorithm is explicitly required. It is current, widely recognized, and easy to compare against the 64-character hex digests most release teams already publish.
Everyday Use & Decision Guide:
For a normal download check, the best first pass is plain: leave the salt blank, pick the exact algorithm named by the source, load the file, and compare the latest digest with the published checksum character for character. If the source gives SHA-256, keep the selector on the SHA-256 path and resist the urge to use a longer or newer-looking digest instead. The useful question is whether your file matches the published checksum under the same method, not whether a different hash family also produces a tidy result.
The tool is also useful when the same file needs more than one digest record. Keep the file loaded and change the algorithm, casing, or salt settings to build a session history. Each recalculation adds a row with the file name, size, algorithm, salt state, salt position, and digest, which is handy when you need to compare an old vendor manifest, satisfy mixed internal requirements, or preserve a short audit trail without reloading the file each time.
- If you are verifying a vendor download, use no salt and treat the latest digest as the main answer.
- If you are preparing an internal handoff, the row-level copy button gives a checksum-style line with the digest and filename together.
- If you need a record, the History tab can be copied or downloaded as CSV, exported as DOCX, and mirrored in the JSON tab.
- If you want a session summary, the Algorithm Mix and Salt & Case Impact tabs show what was run, but they do not strengthen or weaken any single digest comparison.
The Advanced panel is where most avoidable mistakes begin. A salt is never neutral. The Random button generates a 16-byte hexadecimal salt for deliberate custom workflows, not for routine download verification. Prefix and suffix are not cosmetic choices either. The same salt text in the wrong position creates a different digest because the byte order changes.
Before you trust a match, make sure the reference checksum came from a separate trusted source such as a release page, signed manifest, or internal record you already trust. The digest panel can confirm byte identity. It cannot repair a bad reference value or a compromised delivery path.
Step-by-Step Guide:
- Load one file by dragging it into the drop zone or choosing it from the browser picker. The current workflow hashes one file at a time.
- Set the hash type to the exact family named by your reference checksum. If you are creating a fresh checksum for sharing and no outside requirement exists, SHA-256 is the usual first choice.
- Open Advanced only if you need it. Keep Salt blank for standard verification. If you intentionally use a salt, record the exact text and whether it is prefixed or suffixed so other people can reproduce the same digest. Use uppercase only for display style.
- Wait for the Digest summary, then read the algorithm badge, any salt badge, and the digest text itself. Use the main copy button when you only need the latest digest.
- If the comparison fails, troubleshoot in this order: check digest length and algorithm, clear any accidental salt or fix the salt position, then investigate whether the file or the published checksum differs. Each corrected rerun adds a new history row, so the last row should reflect the final settings you actually trusted.
- Use the History table, JSON tab, or export actions when you need an evidence trail. Copying a history row preserves the familiar digest plus filename checksum line.
Interpreting Results:
The latest digest is the decisive output. An exact match under the same algorithm and salt rules means the compared byte streams are identical. Anything else should be read as a clue rather than a mystery. Digest length points to algorithm family, salt indicators point to a changed byte stream, and repeated mismatch under fixed settings points back to the file or the reference checksum.
| What you see | What it means | What to do next |
|---|---|---|
| Exact digest match | The bytes match the reference under the same settings. | Proceed only as far as the trusted source intended, such as install, archive, or hand off the verified file. |
| Letters differ only by case | The digest value still matches. | Treat it as a match unless your workflow requires one display style. |
| Digest length differs from the reference | You are probably using a different algorithm family. | Switch algorithms before deciding the file is wrong. |
| Digest changes after adding or moving a salt | You changed the hashed byte stream. | Remove the salt for ordinary verification or match the agreed salt rule exactly. |
| Repeated mismatch with the same visible settings | The file bytes or the reference checksum differ. | Re-download, re-copy the reference, or confirm the checksum through a separate trusted channel. |
| Charts and exports look complete but the digest does not match | The session record is fine, but the verification failed. | Trust the digest comparison over the presentation layers. |
A match still has a hard limit. It confirms byte identity with the reference you used. It does not certify authorship, prove a package is harmless, or replace a signed release process. When the source itself is in doubt, stop at the checksum result and verify the source, not just the file.
Worked Examples:
Vendor installer check. A software publisher posts a SHA-256 checksum beside a download link. Load the installer, leave Salt blank, keep the algorithm on SHA-256, and compare the 64-character digest with the published value. If every character matches, the installer bytes match the publisher's reference exactly.
Internal archive with an agreed salt. A team decides that a release archive should be hashed together with the text release-2026-q2 appended after the file bytes. Everyone using that process must keep the same suffix rule and the same salt text. The unsalted digest is expected to differ, because it answers a different question.
Troubleshooting a mismatch. A colleague sends a 40-character checksum from an older record, but the selector is still on SHA-512 from a previous run. The first clue is the digest length mismatch. After switching to the correct legacy algorithm and clearing an accidental leftover salt, the comparison becomes meaningful. If it still fails, the next step is to re-download the file or confirm the reference value rather than assuming the longer digest was more trustworthy.
FAQ:
Does the file leave my device?
No. The file is read and hashed in the browser without a server-side hashing step, and the session history stays in page memory until you reload or close the page.
Can I hash the same file several ways without selecting it again?
Yes. Changing the algorithm, salt, salt position, or output casing recalculates the digest for the currently loaded file and adds a new row to the session history.
Does the filename affect the digest?
No. The digest depends on the file bytes and, when used, the salt rule. A renamed file with identical bytes produces the same digest.
Are uppercase and lowercase digests different values?
No. Hexadecimal letter case changes only the display text. If every character matches apart from case, the digest value is the same.
How much history is kept?
Up to 500 rows are kept in the current session. When the limit is exceeded, the oldest rows are removed first.
Glossary:
- Digest
- The fixed-length hexadecimal output of a hash function.
- Collision resistance
- Resistance to finding two different inputs that produce the same digest.
- Preimage resistance
- Resistance to reconstructing an input that matches a known digest.
- Salt
- Extra data added before or after the file bytes so the digest depends on both the file and that added data.
- Checksum manifest
- A trusted list of digests published for later comparison against downloaded or stored files.