Example
Input
yutils
Output (SHA-256)
8a7c9f7d3e2b1a4d6f8c3e5b2a9d1c4f7e8b5a2d9c6f3e1b8a5d2c9f6e3b1a4d
Note
The same input always yields the same 64-character hex. Changing even one character flips most of the output (avalanche effect).
Usage / FAQ
When to use
- Verify file integrity — compare a download's SHA-256 against the source
- Study content-addressed identifiers like Git commit SHAs
- Compare and validate hash values returned by APIs
- Not suitable for password storage — use the bcrypt tool instead (see FAQ)
- Compare SHA-1 / 256 / 384 / 512 while learning blockchain or digital signatures
FAQ
- Q.Can I use SHA for password storage?
- A.Not recommended. SHA is too fast — an attacker can compute billions of hashes per second, making brute force easy. Use intentionally slow algorithms like bcrypt or argon2 instead.
- Q.Is SHA-1 still safe?
- A.No longer. In 2017 Google demonstrated a collision (SHAttered) — two different PDFs with the same SHA-1. Use SHA-256 or stronger for new systems.
- Q.Does this use the Web Crypto API?
- A.Yes — built-in `crypto.subtle.digest`. Fast, safe, and your input never leaves the browser.
Fun facts
SHA-1 fell in 2017 — Google's 'SHAttered' research produced the first real collision (two different PDFs with the same SHA-1), at a cost of ~110,000 GPU-hours. Git and other SHA-1-dependent systems have been migrating to SHA-256 ever since.
shattered.ioBitcoin's proof-of-work uses SHA-256 *applied twice* — `SHA256(SHA256(x))`. The double-hash is commonly attributed to defense against length-extension attacks. Either way, it's now the most famous SHA-256 use case.
Bitcoin Wiki — HashingSHA-3 is not an extension of SHA-2 — it's a completely different algorithm. NIST ran a competition starting 2007; Belgium/Italy's Keccak team won in 2012. SHA-1/SHA-2 are Merkle–Damgård; SHA-3 uses a sponge construction.
Wikipedia — SHA-3
Related guides
- HMAC Webhook Verification — How Stripe, GitHub, and Slack Sign Requests
Why webhooks need HMAC signatures, how providers like Stripe and GitHub sign payloads, constant-time comparison, replay protection, and a step-by-step verifier.
- Password Hashing Done Right — bcrypt, Argon2, and What Not to Do
Why you can't store passwords with SHA-256, what makes bcrypt and Argon2 different, how to pick cost parameters, peppering, and migrating between algorithms.
- Web Crypto API — SHA, HMAC, AES, and JWT in the Browser Without Libraries
Native crypto.subtle in browsers — digest, sign/verify, encrypt/decrypt, key import/export, and why getRandomValues replaces Math.random for security.
- How SHA Hashes Are Built
A guided tour through cryptographic hashes — what makes a function one-way, the Merkle-Damgård and sponge constructions behind SHA-2 and SHA-3, why MD5/SHA-1 are broken, and why fast hashes are wrong for passwords.
- How Encryption Actually Works
Symmetric (AES) vs asymmetric (RSA / ECC), why you never see RSA encrypting a file (hybrid encryption), block cipher modes (ECB pitfall vs GCM), key derivation (PBKDF2 / Argon2), at-rest vs in-transit, and the never-roll-your-own-crypto rule.
Related tools
- Base64 Encode / Decode
Encode text to Base64 or decode Base64 back to text. Runs entirely in your browser, no data sent to any server.
- URL Encode / Decode
Percent-encode text for safe use in URLs, or decode percent-encoded URLs back to text. Runs entirely in your browser.
- UUID / ULID Generator
Generate UUID v4 (random), UUID v7 (time-ordered, RFC 9562), or ULID identifiers — all client-side via crypto.
- JWT Decoder
Decode the header and payload of a JSON Web Token. Signature is not verified (a public key is required). The token is processed entirely in your browser.
- JWT Encoder (HMAC)
Generate a signed JSON Web Token with HS256/HS384/HS512 (HMAC-SHA). Payload and secret stay in your browser — Web Crypto API based.
- Hex Encode / Decode
Encode text to hexadecimal or decode hex back to text. Supports UTF-8 multi-byte characters and tolerates whitespace.
- HTML Entity Encode / Decode
Encode HTML special characters (&, <, >, ", ') to entities, or decode named/numeric entities back to text.
- Password Generator
Generate cryptographically strong passwords, tokens, random strings, and passphrases with entropy display.
- Number Base Converter
Convert numbers between bases (binary/octal/decimal/hex/base36) using BigInt for large integers. Auto-detects 0b/0o/0x prefixes.
- URL Parser
Decompose a URL into protocol, host, path, query parameters, and hash — read-only inspection.
- HMAC Generator
Compute HMAC (Hash-based Message Authentication Code) with SHA-1/256/384/512 using the Web Crypto API.
- HMAC Verify
Verify whether a given HMAC signature matches the message + secret. Constant-time comparison via Web Crypto API.
- MD5 Hash
Compute MD5 hash for text. Note: MD5 is broken for security — checksums and legacy compatibility only.
- Punycode (IDN)
Convert international domain names to/from Punycode (xn-- encoded ASCII). Uses native URL parser.
- HTTP Status Codes
Browse and search HTTP status codes (1xx-5xx) with descriptions and common usage.
- User-Agent Parser
Parse User-Agent strings into browser, OS, device, and engine fields.
- Bcrypt Hash
Hash passwords with Bcrypt or verify a plaintext against an existing hash. Configurable salt rounds.
- Cookie Parser
Parse Cookie or Set-Cookie strings into a table. Decode percent-encoded values. Supports Set-Cookie attributes (Path/Domain/Max-Age/SameSite/HttpOnly/Secure).
- IP / CIDR Calculator
Compute network address, broadcast, host range, mask, and host count from an IPv4 + CIDR.
- cURL Builder
Build cURL commands from URL/method/headers/body. Auto-detects JSON content-type.