How to use the SHA-1 Hash Generator
Generate a SHA-1 hash in seconds:
1
Paste your text
Enter any text into the input panel. SHA-1 is computed using the Web Crypto API with 150ms debounce on keystroke.
2
Choose output format
Select hex (lowercase), HEX (uppercase), or Base64. All three represent the same 160-bit hash value.
3
Hash a file (optional)
Use 'Hash File' to compute the SHA-1 checksum of a binary file for integrity comparison.
4
Copy the result
Click Copy to grab the 40-character SHA-1 hash.
When to use this tool
Use SHA-1 for legacy compatibility and non-security fingerprinting:
- →Understanding or verifying Git commit IDs, blob hashes, and tree objects (Git uses SHA-1 internally)
- →Verifying OAuth 1.0 HMAC-SHA1 signatures in legacy API integrations
- →Computing checksums for legacy systems that specifically require SHA-1 format
- →Replicating SHA-1 hashes found in older documentation or codebases for debugging purposes
- →Educational purposes — learning how 160-bit hash outputs differ from MD5 and SHA-256
- →Transitioning legacy systems that currently use MD5 to at least the stronger (though deprecated) SHA-1
Frequently asked questions
Q:Is SHA-1 safe to use in 2024 and beyond?
SHA-1 is deprecated for security-critical applications. In 2017, Google and CWI Amsterdam published the SHAttered attack — the first practical SHA-1 collision, producing two different PDF files with identical SHA-1 hashes. As a result, major browsers stopped trusting SHA-1 TLS certificates, and code-signing authorities have phased it out. For new applications, use SHA-256 or SHA-3. HMAC-SHA1 (used in OAuth 1.0 and some MACs) is still considered safe because HMAC's construction resists collision attacks, but SHA-256 is always preferred.
Q:Why does Git use SHA-1 if it's deprecated?
Git uses SHA-1 as a content-addressable object identifier, not for security. Git commit, blob, and tree objects are identified by their SHA-1 hash, which allows distributed repositories to detect data corruption and identify objects uniquely. The security risk from SHA-1 collisions in Git is mitigated by several factors: an attacker would need physical access to craft a malicious commit that matches a legitimate one, and Git has implemented additional hardening. Git is actively migrating to SHA-256 (available since Git 2.29) via the --object-format=sha256 flag, but SHA-1 remains the default for backwards compatibility.
Q:What is the difference between SHA-1 and MD5?
SHA-1 produces a 160-bit (40 hex char) output while MD5 produces a 128-bit (32 hex char) output — SHA-1 is slightly larger and theoretically more collision-resistant. Both are considered broken for security purposes: MD5 collision attacks are faster and more practical, while SHA-1 collisions have been demonstrated but require significantly more computation. SHA-1 is about 20-30% slower than MD5 on typical hardware. Neither should be used for passwords, digital signatures, or certificates — use SHA-256 or SHA-3 instead.
Q:How many characters does a SHA-1 hash produce?
SHA-1 always produces exactly 160 bits of output, which is represented as 40 hexadecimal characters (since each hex character encodes 4 bits: 160 / 4 = 40). In Base64 encoding, the same 160-bit value becomes 28 characters (with padding). The output length is always fixed regardless of input size — whether you hash a single character or a 1 GB file, the SHA-1 output is always 40 hex characters.
Q:Is HMAC-SHA1 still safe even though SHA-1 is deprecated?
Yes — HMAC-SHA1 is still considered computationally secure despite SHA-1's deprecation. The HMAC construction (Hash-based Message Authentication Code) is designed to resist collision attacks by combining the key with the hash input in a way that makes collision-based attacks inapplicable. HMAC security depends on the hash function's pre-image resistance, not collision resistance, and SHA-1's pre-image resistance remains intact. However, you should still prefer HMAC-SHA256 for new implementations — it provides a larger security margin and is the current industry standard.
Q:What does SHA stand for, and who created SHA-1?
SHA stands for Secure Hash Algorithm. SHA-1 was designed by the United States National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST) in 1995 as a revision of SHA-0 (which had a critical flaw discovered by the NSA before publication). SHA-1 was part of the Digital Signature Standard (DSS). The SHA-2 family (SHA-256, SHA-512, etc.) was also designed by the NSA and published by NIST in 2001. SHA-3 uses a completely different algorithm (Keccak, designed by Bertoni, Daemen, Peeters, and Van Assche) selected by NIST in 2012 through an open public competition.