File Hash Calculator — Verify Downloads with MD5, SHA-1, SHA-256, SHA-512
Drag and drop a file to instantly calculate its MD5, SHA-1, SHA-256, and SHA-512 hashes. Compare against the checksum published by the source to confirm your download is not corrupted or tampered with. Files are never uploaded to a server.
Hash Algorithm Comparison
| Algorithm | Output Size | Hex Characters | Typical Use |
|---|---|---|---|
| MD5 | 128-bit | 32 chars | Lightweight integrity checks only — cryptographically broken, unsuitable for passwords or digital signatures |
| SHA1 | 160-bit | 40 chars | Safer than MD5, but collision attacks are proven. Still used for non-security purposes like Git commit hashes |
| SHA256 | 256-bit | 64 chars | Currently considered secure — the standard choice for verifying software download integrity |
| SHA512 | 512-bit | 128 chars | Even longer output than SHA-256; can be faster on 64-bit CPUs |
Tips for Verifying File Hashes
- If the source does not specify which algorithm was used, just paste the hash into the comparison field — it automatically detects the matching algorithm.
- Large files (hundreds of MB or more) use significant browser memory, so computation may take several seconds to a minute. Keep the tab open while it works.
- Verifying hashes is especially worthwhile for high-impact files like ISO images and installers, where tampering could cause serious harm.
- MD5 and SHA-1 have proven collision attacks, so they are unsuitable for detecting malicious tampering. Use SHA-256 or higher for security-sensitive checks.
Frequently Asked Questions
Side Note — Why Official Sites Publish Hash Values
You may have noticed a hash value like "SHA256: a1b2c3..." listed next to a download link on a software site. This lets users verify for themselves that the file is exactly what the publisher created, with no corruption during transfer or tampering on a mirror server.
This matters most for Linux distribution ISO images, which are often downloaded from mirror servers scattered around the world. Beyond ordinary transmission errors, there is a theoretical risk that a malicious actor could compromise a mirror and distribute a tampered copy containing malware. When the official site publishes a signed list of hashes (often with a GPG signature), users can verify safety from any mirror simply by computing the hash locally and comparing it.
Hash functions have an "avalanche effect" — changing even a single bit of input produces a completely different output. This reliably catches both deliberate tampering and subtle corruption from a bad download. Even if two files are the same size, differing by just one byte produces an entirely different hash, making this far more reliable than eyeballing file sizes.