SHA-1 (Secure Hash Algorithm 1) produces a 160-bit (40 hex character) hash value. Designed by the NSA in 1995, it was the standard hash for over two decades before being deprecated due to collision attacks.

Why is SHA-1 deprecated?

In 2017, Google and CWI Amsterdam demonstrated the first practical SHA-1 collision (SHAttered attack), producing two different PDF files with the same SHA-1 hash. Since then, SHA-1 is considered cryptographically broken for security purposes.

Where is SHA-1 still used?

Git uses SHA-1 for commit hashes (transitioning to SHA-256). Some legacy APIs, older certificate systems, and HMAC-SHA1 (used by GitHub webhooks) still rely on it. For new projects, always prefer SHA-256.

SHA-1 Hash Generator — Generate SHA-1 Hashes Online

Generate SHA-1 hashes for any text or file. SHA-1 produces a 160-bit (40 hex character) hash. Deprecated for security but still used in Git and legacy systems.

About SHA-1

SHA-1 (Secure Hash Algorithm 1) was published by NIST in 1995 as part of the Digital Signature Standard. It processes input in 512-bit blocks and produces a 160-bit hash value, typically rendered as a 40-character hexadecimal string. For over two decades, SHA-1 was the workhorse of internet security — used in SSL/TLS certificates, PGP signatures, SSH, and IPsec protocols.

The SHAttered Attack

In February 2017, Google and CWI Amsterdam published the SHAttered attack, demonstrating the first practical SHA-1 collision. They produced two different PDF files with identical SHA-1 hashes. The attack required about 6,500 CPU-years and 110 GPU-years of computation. Since then, SHA-1 has been officially deprecated by all major browser vendors, certificate authorities, and security standards bodies.

SHA-1 in Git

Git's most visible use of SHA-1 is for commit identifiers — those 40-character hex strings like aaf4c61d. Git is transitioning to SHA-256 via the extensions.objectFormat config option, but SHA-1 remains the default. For Git's use case, SHA-1's collision vulnerability is a limited risk since Git performs additional checks, but migration to SHA-256 is recommended for new repositories.

Enter text below to generate its SHA-1 hash.

Frequently Asked Questions

Is my data safe? Is anything sent to a server?▼

No data leaves your browser. All hashing uses the Web Crypto API built into your browser (for SHA algorithms) or a local JavaScript implementation (for MD5). Files are read locally and never uploaded. Your text, files, and HMAC keys are never transmitted, stored, or logged.

What’s the difference between MD5, SHA-1, SHA-256, and SHA-512?▼

These are all cryptographic hash functions that produce fixed-size outputs from any input. MD5 produces 128-bit (32 hex character) hashes but is cryptographically broken. SHA-1 produces 160-bit (40 character) hashes but was broken in 2017. SHA-256 produces 256-bit (64 character) hashes and is the recommended standard. SHA-512 produces 512-bit (128 character) hashes for maximum security.

Which hash algorithm should I use?▼

For most purposes, use SHA-256. It’s the current industry standard, used in TLS certificates, Bitcoin, code signing, and file integrity verification. Use SHA-512 for maximum security requirements. Only use MD5 or SHA-1 for legacy compatibility where security is not a concern.

Is hashing the same as encryption?▼

No. Hashing is one-way — you cannot reverse a hash to get the original data. Encryption is two-way — encrypted data can be decrypted with the correct key. Hashing is used for verification and integrity, not confidentiality.

What is HMAC and when do I need it?▼

HMAC (Hash-based Message Authentication Code) combines a secret key with a hash function. While a regular hash only proves integrity, HMAC also proves authenticity — the data came from someone who knows the secret key. Essential for webhook verification (Stripe, GitHub, Shopify) and API authentication.

Can I hash large files?▼

Yes. The tool reads files in chunks using streaming APIs, so it can handle files up to 2GB without running out of memory. A progress bar shows hashing progress. All processing happens locally.

How do I verify a downloaded file?▼

Go to the File Hash tab, drop your file, and compute its hash. Then compare the result with the checksum from the file’s publisher. If they match, the file is authentic. You can also use the Compare tab to verify automatically.

Why does my MD5 hash have a warning?▼

MD5 has been cryptographically broken since 2004. Collisions can be generated in seconds. It cannot be trusted for security purposes. We include it for legacy compatibility but recommend SHA-256 for anything security-related.

Can I reverse a hash to find the original text?▼

No. Cryptographic hash functions are one-way. However, weak passwords can be found using rainbow tables. This is why password hashing should use bcrypt/argon2 with salting, not raw SHA-256.

SHA-1 Hash Generator — Generate SHA-1 Hashes Online

About SHA-1

The SHAttered Attack

SHA-1 in Git

Frequently Asked Questions

Related Tools