Example
Input
yutils
Output (MD5 hex)
5b9c8d3e2a1f4b7d6e8c3a5b9d2f1c4e
Note
MD5 emits 32 hex characters. Broken for security, but still useful for checksums, ETags, and cache keys.
Usage / FAQ
When to use
- File checksums for download integrity (not security)
- Gravatar lookups, ETags, and cache keys
- Compatibility with legacy systems or APIs that still emit MD5
- Consistent short hashes for change detection on DB rows
- Study why MD5 is broken — try producing two inputs with the same hash
FAQ
- Q.Is MD5 really broken?
- A.Yes. Theoretical weaknesses (1996), practical collisions (2004), forged signatures (2008). Never use for security — no passwords, TLS, or digital signatures.
- Q.Why is it still around?
- A.Speed and brevity (16 bytes, 32 hex chars). For non-security uses like ETags, cache keys, and checksums it's still fine. AWS S3 uses MD5 as the default ETag, for example.
- Q.Is Gravatar safe to use with MD5?
- A.Gravatar uses MD5 only as a stable identifier mapping email to avatar — not for security. But anyone with the email can reproduce the hash and de-anonymize users.
Fun facts
MD5 was designed by Ronald Rivest in 1991 to patch MD4's weaknesses, and standardized as RFC 1321. 'MD' stands for 'Message-Digest' — Rivest's hash series ran MD2/MD4/MD5 before branching into the RC ciphers.
RFC 1321 (1992)In 2004, Wang Xiaoyun's Shandong University team published a differential attack that produced MD5 collisions in minutes. That was 13 years before SHA-1's SHAttered, and the moment MD5 was retired from security use — it survives today only for non-adversarial integrity checks.
Wang et al. 2004 (IACR ePrint)In 2012 the Flame malware used a chosen-prefix MD5 collision to forge a Microsoft Terminal Services certificate and hijack the Windows Update channel. The first time MD5 collisions left academia and powered a nation-state attack — which is why 'don't use MD5 for passwords' isn't future-tense advice.
Wikipedia — Flame malware
Related tools
- Base64 Encode / Decode
Encode text to Base64 or decode Base64 back to text. Runs entirely in your browser, no data sent to any server.
- URL Encode / Decode
Percent-encode text for safe use in URLs, or decode percent-encoded URLs back to text. Runs entirely in your browser.
- UUID / ULID Generator
Generate UUID v4 (random), UUID v7 (time-ordered, RFC 9562), or ULID identifiers — all client-side via crypto.
- JWT Decoder
Decode the header and payload of a JSON Web Token. Signature is not verified (a public key is required). The token is processed entirely in your browser.
- JWT Encoder (HMAC)
Generate a signed JSON Web Token with HS256/HS384/HS512 (HMAC-SHA). Payload and secret stay in your browser — Web Crypto API based.
- SHA Hash
Compute SHA-1, SHA-256, SHA-384, or SHA-512 hash of text. Uses the browser's Web Crypto API; no data is sent to any server.
- Hex Encode / Decode
Encode text to hexadecimal or decode hex back to text. Supports UTF-8 multi-byte characters and tolerates whitespace.
- HTML Entity Encode / Decode
Encode HTML special characters (&, <, >, ", ') to entities, or decode named/numeric entities back to text.
- Password Generator
Generate cryptographically strong passwords, tokens, random strings, and passphrases with entropy display.
- Number Base Converter
Convert numbers between bases (binary/octal/decimal/hex/base36) using BigInt for large integers. Auto-detects 0b/0o/0x prefixes.
- URL Parser
Decompose a URL into protocol, host, path, query parameters, and hash — read-only inspection.
- HMAC Generator
Compute HMAC (Hash-based Message Authentication Code) with SHA-1/256/384/512 using the Web Crypto API.
- HMAC Verify
Verify whether a given HMAC signature matches the message + secret. Constant-time comparison via Web Crypto API.
- Punycode (IDN)
Convert international domain names to/from Punycode (xn-- encoded ASCII). Uses native URL parser.
- HTTP Status Codes
Browse and search HTTP status codes (1xx-5xx) with descriptions and common usage.
- User-Agent Parser
Parse User-Agent strings into browser, OS, device, and engine fields.
- Bcrypt Hash
Hash passwords with Bcrypt or verify a plaintext against an existing hash. Configurable salt rounds.
- Cookie Parser
Parse Cookie or Set-Cookie strings into a table. Decode percent-encoded values. Supports Set-Cookie attributes (Path/Domain/Max-Age/SameSite/HttpOnly/Secure).
- IP / CIDR Calculator
Compute network address, broadcast, host range, mask, and host count from an IPv4 + CIDR.
- cURL Builder
Build cURL commands from URL/method/headers/body. Auto-detects JSON content-type.