SHA-1 Generator Online — Free SHA1 Hash Calculator

What is SHA-1?

SHA-1 is a cryptographic hash function published by the NSA in 1995 as part of the U.S. Secure Hash Standard. It takes any input and produces a 160-bit digest, typically displayed as 40 lowercase hexadecimal characters. For over a decade it was the dominant hash on the web: every TLS certificate in a browser's trust store used it, every Git object ID is still derived from it in the default repository format, and countless internal systems used it for checksums. This SHA-1 generator online computes the digest instantly in your browser, with no network request and no logs.

Is SHA-1 still safe?

Not for security purposes. In 2017, a team from Google and CWI Amsterdam published SHAttered, the first practical SHA-1 collision: two PDF files with identical SHA-1 digests but different content. The attack cost roughly 100,000 dollars in compute. Within three years the cost dropped to about 45,000 dollars with chosen-prefix attacks. Every major browser, certificate authority, and enterprise security vendor has deprecated SHA-1 for signing. Git is migrating to SHA-256 for object IDs. If you see SHA-1 in use for anything security-relevant, treat it as a finding that needs remediation.

SHA-1 is still acceptable for non-security tasks: legacy checksums, interop with systems that cannot be upgraded, and Git's current object model (where the collision resistance is a nice-to-have but not a security boundary because Git ships with collision detection). For new designs, use SHA-256.

How SHA-1 works

SHA-1 processes input in 512-bit blocks through 80 rounds. It maintains a 160-bit internal state across five 32-bit words (A, B, C, D, E), applies round-specific non-linear functions and constants, and mixes the message schedule with left rotations. After all blocks are processed, the five state words are concatenated to form the final 160-bit digest. The design is a direct evolution of SHA-0 (which had a flaw in its message schedule) and shares its overall shape with MD4 and MD5.

How to use this SHA-1 generator

1. Paste or type any text into the input field. The SHA-1 digest appears live in the results panel.
2. The results panel shows MD5, SHA-1, SHA-256, SHA-384, and SHA-512 side-by-side so you can compare digest lengths and upgrade a legacy SHA-1 check to SHA-256 in one step.
3. Click Copy to put any digest on the clipboard.
4. SHA-1 uses the browser's Web Crypto API via crypto.subtle.digest('SHA-1', ...). Nothing is sent anywhere.

Example

Input:

hello world

SHA-1 digest:

2aae6c35c94fcfb415dbe95f408b9ce91ee846ed

Notice the digest is exactly 40 hex characters regardless of input length. The empty-string SHA-1 digest is da39a3ee5e6b4b0d3255bfef95601890afd80709, a value you will see in logs as the fingerprint of no content.

Common use cases for SHA-1

• Git object IDs. Every commit, tree, blob, and tag in a traditional Git repository is addressed by its SHA-1 hash. Git includes collision detection that would alert on a SHAttered-style attack, but the long-term migration is to SHA-256.
• Legacy checksum verification. Mirrors and archives that published SHA-1 digests years ago still want to be checkable. This tool lets you compute the digest to verify an old download.
• Interop with older protocols. Some older WebSocket handshakes, WS-Security contexts, and NTLM derivatives use SHA-1 as a primitive. Use it when the other side cannot move.
• Fingerprinting in non-adversarial contexts. If nobody benefits from finding a collision, SHA-1 is faster than SHA-256 on most hardware and can be used freely.
• Not for TLS, not for signatures, not for passwords. Use SHA-256 or stronger for anything where an attacker cares.

Privacy

This SHA-1 generator runs entirely in your browser. The input text is passed to the browser's native Web Crypto API, hashed locally, and the resulting digest is displayed next to the input. The page never emits a network request containing your input — safe for API keys, internal strings, and anything else you would not paste into a random online hash tool.

Frequently asked questions

Why is the SHA-1 digest 40 characters?

SHA-1 produces a 160-bit output. Hex uses 4 bits per character, so 160 / 4 = 40 characters. The convention is lowercase.

Is SHA-1 really broken?

For security purposes, yes. Collision attacks are practical on commodity hardware at costs well within reach of nation-state adversaries and competent criminal groups. Pre-image attacks (given a digest, find an input) are still computationally infeasible, so SHA-1 checksums of random data are not invertible — but collision resistance is what matters for signatures and certificates, and that property is gone.

Should I migrate Git to SHA-256?

Eventually, yes. Git has supported SHA-256 as an experimental object format since 2.29. Most of the ecosystem (hosting providers, CI systems, diff tools) still assumes SHA-1, so an immediate migration is usually not practical. Track the transition, plan for it, and migrate when your tooling is ready.

What is the difference between SHA-1 and HMAC-SHA1?

SHA-1 is a hash function. HMAC-SHA1 is a message authentication code that uses SHA-1 internally along with a secret key. HMAC-SHA1 is still considered secure (HMAC provides a construction that does not depend on SHA-1's collision resistance), but if you are building anything new, use HMAC-SHA256 instead. This tool computes the raw SHA-1 hash; it is not an HMAC tool.

Can I hash a file with this tool?

Not yet — this tool takes text input only. For files, use sha1sum filename on Linux/macOS or Get-FileHash filename -Algorithm SHA1 in PowerShell.