CiphersOnline
Encryption Online
Hashing
SHA-1

SHA-1 Hash Generator

Generate a SHA-1 hash from text online. Type or paste a message to calculate its 160-bit digest as a 40-character lowercase hexadecimal string, then copy the result. Processing runs locally in your browser with the Web Crypto API. SHA-1 remains useful for legacy compatibility but should not protect new security-sensitive systems.

Input
0 chars · 0 bytes
Try:
Hash
✓ Client-side processing only ✓ Input is not sent to server
Examples
Empty string
Input (empty)
Output da39a3ee5e6b4b0d3255bfef95601890afd80709

The SHA-1 hash of empty input is a well-known constant.

Plain text
Input hello world
Output 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed

Short input produces a fixed 40-character hex string.

Avalanche effect
Input Hello world
Output 7b502c3a1f48c8609ae212cdfb639dee39673f5e

A single bit flip (lowercase h → uppercase H) yields a completely different hash.

Standard SHA-1 test vector
Input The quick brown fox jumps over the lazy dog
Output 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12

A widely used test vector for checking that a SHA-1 implementation returns the expected digest.

What is SHA-1?

SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function standardized in 1995. It converts input of any length into a fixed 160-bit (20-byte) digest, normally written as 40 hexadecimal characters. This online SHA-1 calculator displays the digest in lowercase hex.

SHA-1 is deterministic and one-way, but it is no longer collision-resistant enough for modern security. Practical collision attacks can create different inputs with the same SHA-1 digest. Use this generator for compatibility, testing, and non-adversarial identification—not for new signatures, certificates, or other collision-sensitive designs.

Where SHA-1 is still used—and where it should not be

SHA-1 remains in legacy protocols, existing Git repositories, older HMAC-SHA-1 integrations, and data sets whose identifiers cannot be changed easily. It can also reproduce a published legacy checksum or help detect accidental corruption when no malicious actor is involved.

Do not choose SHA-1 for new digital signatures, certificate signatures, tamper-resistant checksums, or content identifiers exposed to hostile input. A collision attack does not reveal an original message, but it breaks the assumption that one digest uniquely identifies one input. Prefer SHA-256, SHA-512, SHA-3, or another modern algorithm when you control the format.

How to use the SHA-1 hash generator
  1. Type or paste the text you want to hash into the input field.
  2. Keep SHA-1 selected in the algorithm menu.
  3. The generator calculates the digest in your browser and shows a 40-character hexadecimal result.
  4. Use the copy button to place the SHA-1 hash on your clipboard.

The calculator hashes the exact UTF-8 bytes of your text. Letter case, spaces, punctuation, Unicode characters, and line endings are significant, so preserve them when reproducing or verifying a hash. An empty input is valid and produces the standard SHA-1 empty-string digest. You can switch the menu to compare the same text with SHA-256, SHA-512, SHA-3, BLAKE2, MD5, or CRC32.

How the SHA-1 algorithm works

SHA-1 encodes the message as bytes, appends padding and the original bit length, and divides the result into 512-bit blocks. Each block passes through 80 rounds of 32-bit operations, modular additions, constants, and an expanded message schedule. Five 32-bit state words form the final 160-bit digest.

A small input change normally alters many output bits—the avalanche effect. However, collision resistance is a separate property, and practical chosen-prefix collision techniques make SHA-1 unsuitable when an attacker can craft both inputs. SHA-1 preimage attacks are still not practical, but that does not restore its safety for signatures or adversarial integrity checks.

FAQ

Not for new security-sensitive designs that depend on collision resistance, such as digital signatures or attacker-resistant content identifiers. SHA-1 has practical collision attacks. It can still serve legacy compatibility and non-adversarial identification, but use SHA-256 or a modern alternative whenever you control the system.

Many existing Git repositories use SHA-1 object identifiers because changing an object format affects every identifier and integration. Git implementations also apply collision-detection defenses, and a SHA-256 repository format exists for migration. This does not make SHA-1 a good choice for a new general-purpose security design; it reflects compatibility requirements and Git-specific protections.

No. SHA-1 is a one-way function, so there is no SHA-1 decoder or decryption key that restores the original text. Someone can only guess a possible input, hash it, and compare the result. That can expose short or predictable values, but it does not reverse the algorithm. Collision attacks and reversal are different problems.

The SHA-1 calculation runs locally in your browser through the Web Crypto API; the text is not sent to the server for hashing. Avoid placing secrets into any website on a device or browser you do not trust.

MD5 produces 128 bits and has practical collision attacks. SHA-1 produces 160 bits and also has practical collision attacks. SHA-256 produces 256 bits and has no known practical collision or preimage attack. Use the exact algorithm required for legacy compatibility, but prefer SHA-256 or stronger for new security-sensitive systems.

Do not store passwords with raw SHA-1. It is deliberately fast, which enables large-scale password guessing, and its collision weakness provides no benefit. Use a maintained implementation of Argon2id, scrypt, bcrypt, or PBKDF2 with a unique random salt and an appropriately configured work factor.

The two tools are probably hashing different bytes. Check letter case, leading or trailing spaces, tabs, line endings, Unicode normalization, and whether the other tool expects plain text, hex, Base64, or a file. This generator interprets the input as text and encodes it as UTF-8 before hashing.

This page hashes text entered in the input field; it does not read uploaded files. Pasting a filename hashes the filename itself, not the file contents. To check a legacy SHA-1 file checksum, use a utility that reads the file bytes and compare its 40-character result with a checksum from a trusted source. Prefer SHA-256 when a modern checksum is available.
Related tools

HMAC Generator

Generate an HMAC from text with a secret key in your browser.

All Hashing & Password Security →