PasswordHive

Generate Password Hashes — MD5, SHA-256 & SHA-512 Online

Generate password hashes using MD5, SHA1, SHA256, and SHA512 algorithms. For production use, consider bcrypt instead.

Important Security Note

MD5, SHA1, SHA256, and SHA512 are NOT secure for password storage. They're too fast and vulnerable to brute force. Use bcrypt or Argon2 for storing passwords. These hashes are useful for checksums, integrity verification, and educational purposes.

MD5 (128-bit)
SHA-1 (160-bit)
SHA-256 (256-bit)
SHA-512 (512-bit)
Copied to clipboard!
Use Bcrypt Instead (Recommended) Generate Strong Password

Hash Algorithm Comparison

Understanding the differences between hashing algorithms helps you choose the right one for your use case.

Algorithm Output Size Speed Password Storage Use Case
MD5 128 bits Very Fast ❌ Broken Legacy checksums only
SHA-1 160 bits Fast ❌ Broken Legacy systems only
SHA-256 256 bits Fast ⚠️ Not Recommended File integrity, certificates
SHA-512 512 bits Fast ⚠️ Not Recommended File integrity, certificates
Bcrypt 184 bits Slow (configurable) ✓ Recommended Password storage

Why Fast Hashes Are Dangerous

Modern GPUs turn password cracking from years to seconds.

Hash cracking speeds on modern GPU hardware
Algorithm RTX 4090 Speed 8-char Password Verdict
MD5 164 GH/s ~37 minutes Broken
SHA-1 55 GH/s ~2 hours Broken
SHA-256 22 GH/s ~5 hours Too Fast
SHA-512 7.5 GH/s ~14 hours Too Fast
bcrypt (cost 12) 184 KH/s ~6.9 years Recommended
Argon2id ~50 KH/s ~25 years Best

Benchmarks from Hashcat on RTX 4090. 8-character password assumes full 95-character set.

Anatomy of Hash Outputs

Understanding hash structure helps you identify algorithms and verify integrity.

MD5

❌ Broken - Never use for passwords
5f4dcc3b5aa765d61d8327deb882cf99
Length: 32 hex chars
Bits: 128
Created:

SHA-256

⚠️ OK for checksums, not passwords
5e884898da28047d9d6eb8d7a3ed7bfc1b4c2b4a93f8c4a8
Length: 64 hex chars
Bits: 256
Created:

bcrypt

✓ Designed for passwords
$2b$12$N9qo8uLOickgx2ZMRZoMyejhPHsqZ.LUGi5..Dqy25iy
Algorithm ($2b$)
Cost factor (12)
Salt (22 chars)
Hash (31 chars)

Salt is automatically generated and embedded. Generate bcrypt hashes →

When to Use Each Algorithm

Different use cases require different hash types.

Password Storage

  • Argon2id — PHC winner, best security
  • bcrypt — Widely supported, proven
  • scrypt — Memory-hard, GPU resistant

Never for Passwords

  • MD5 — Broken, collision attacks
  • SHA-1 — Broken, collisions demonstrated
  • SHA-256/512 — Too fast for passwords

📄 File Integrity & Checksums

  • SHA-256 — Standard, widely used
  • SHA-512 — Higher security margin
  • BLAKE3 — Fastest modern choice

🔏 Digital Signatures & Certs

  • SHA-256 — TLS certs, code signing
  • SHA-384/512 — Higher security needs
  • SHA-3 — NIST standard

Frequently Asked Questions

Common questions about password hashing.

Password Strength Checker
Previous Tool
Policy Validator
Next Tool
Bcrypt Generator

Understanding Password Hashing

Password hashing is fundamental to modern security, but choosing the wrong algorithm can leave your users vulnerable. This guide explains when to use different hash types and why our password hash generator includes algorithms you shouldn't use for passwords—along with what you should use instead.

The Purpose of Hashing

Hashing transforms input into a fixed-length string that appears random. The same input always produces the same hash, but you can't reverse the process to recover the input. This makes hashing perfect for password verification: store the hash, and when users log in, hash their input and compare. Even if attackers steal your database, they get hashes—not passwords.

The critical distinction is between fast hashes (MD5, SHA family) and slow hashes (bcrypt, Argon2). Fast hashes were designed for speed—verifying file integrity, creating checksums. Slow hashes were specifically designed for passwords, intentionally consuming more resources to resist brute force attacks.

Why MD5 and SHA Are Dangerous for Passwords

Modern GPUs can compute over 10 billion MD5 hashes per second. A password that would take centuries with bcrypt falls in minutes with MD5. SHA-256 and SHA-512 are cryptographically stronger but just as fast, making them equally unsuitable for passwords.

Additionally, MD5 and SHA-1 have known collision vulnerabilities—two different inputs can produce the same hash. While this doesn't directly enable password cracking, it undermines trust in the algorithm. SHA-256 and SHA-512 remain collision-resistant but should still never be used for passwords due to their speed.

Appropriate Uses for These Algorithms

SHA-256 and SHA-512 remain excellent choices for file integrity verification, digital signatures, blockchain applications, and HMAC constructions. MD5 and SHA-1 should only be used for legacy compatibility. If you're building anything new, use SHA-256 or better for checksums, and bcrypt or Argon2 for passwords.

For WordPress sites, the platform uses phpass with multiple rounds—slower than plain SHA but not as secure as bcrypt. If you're working with WordPress, use the appropriate phpass-compatible hash generation for compatibility. For custom applications, always choose bcrypt with appropriate work factors.

Best Practices for Developers

Always use established libraries for password hashing—never implement your own. Most languages have built-in bcrypt support. Always salt passwords (bcrypt does this automatically). Use appropriate work factors that make hashing take 0.5-1 second on your hardware. Test password strength and enforce sensible password policies to reduce reliance on hashing strength alone.

Remember: even the best hash can't save a password like "password123". Use our password generator to create strong passwords, then hash them properly. Security is defense in depth—strong passwords combined with proper hashing provide the best protection.