File Hash Calculator — Verify Downloads with MD5, SHA-1, SHA-256, SHA-512

Drag and drop a file to instantly calculate its MD5, SHA-1, SHA-256, and SHA-512 hashes. Compare against the checksum published by the source to confirm your download is not corrupted or tampered with. Files are never uploaded to a server.

Hash Algorithm Comparison

Algorithm Output Size Hex Characters Typical Use
MD5 128-bit 32 chars Lightweight integrity checks only — cryptographically broken, unsuitable for passwords or digital signatures
SHA1 160-bit 40 chars Safer than MD5, but collision attacks are proven. Still used for non-security purposes like Git commit hashes
SHA256 256-bit 64 chars Currently considered secure — the standard choice for verifying software download integrity
SHA512 512-bit 128 chars Even longer output than SHA-256; can be faster on 64-bit CPUs

Tips for Verifying File Hashes

  • If the source does not specify which algorithm was used, just paste the hash into the comparison field — it automatically detects the matching algorithm.
  • Large files (hundreds of MB or more) use significant browser memory, so computation may take several seconds to a minute. Keep the tab open while it works.
  • Verifying hashes is especially worthwhile for high-impact files like ISO images and installers, where tampering could cause serious harm.
  • MD5 and SHA-1 have proven collision attacks, so they are unsuitable for detecting malicious tampering. Use SHA-256 or higher for security-sensitive checks.

Frequently Asked Questions

First double-check the official hash for copy-paste mistakes, like a stray newline or extra space. If it still does not match, the file may be corrupted or tampered with — delete it without running it and re-download from the official source.

Match whichever algorithm the source publishes. If several are listed, prefer the stronger SHA-256 or SHA-512. MD5 and SHA-1 are no longer cryptographically secure and are insufficient for detecting malicious tampering.

The algorithms are identical — only the input differs (binary file vs. text string). To hash a text string instead, use our sister tool, the all-in-one string hash calculator.

Yes, as long as your browser has enough available memory — the entire file is loaded into memory at once, so multi-gigabyte files may slow down or fail in some browsers.
ツールくん

Side Note — Why Official Sites Publish Hash Values

You may have noticed a hash value like "SHA256: a1b2c3..." listed next to a download link on a software site. This lets users verify for themselves that the file is exactly what the publisher created, with no corruption during transfer or tampering on a mirror server.

This matters most for Linux distribution ISO images, which are often downloaded from mirror servers scattered around the world. Beyond ordinary transmission errors, there is a theoretical risk that a malicious actor could compromise a mirror and distribute a tampered copy containing malware. When the official site publishes a signed list of hashes (often with a GPG signature), users can verify safety from any mirror simply by computing the hash locally and comparing it.

Hash functions have an "avalanche effect" — changing even a single bit of input produces a completely different output. This reliably catches both deliberate tampering and subtle corruption from a bad download. Even if two files are the same size, differing by just one byte produces an entirely different hash, making this far more reliable than eyeballing file sizes.