SHA1 (Secure Hash Algorithm 1) is a cryptographic hash function that produces a 160-bit (40 hexadecimal character) hash value. It was the standard for SSL certificates and digital signatures for many years but was deprecated in 2017 after the SHAttered collision attack was demonstrated.

SHA1 is deprecated for security-sensitive uses. In 2017, Google and CWI Amsterdam demonstrated the first practical SHA1 collision (the SHAttered attack). SHA1 should not be used for digital signatures, certificates, or password hashing. For non-security checksums it remains acceptable, but SHA256 is preferred for all new projects.

What should I use instead of SHA1?

Use SHA256 for most applications. It is fast, secure, universally supported, and part of the SHA-2 family with no known practical attacks. For password hashing specifically, use bcrypt, scrypt, or Argon2 - not SHA256 directly.

HMAC-SHA1 combines the SHA1 hash function with a secret key to produce a message authentication code. It is still considered reasonably safe for HMAC use cases even though plain SHA1 is deprecated, because the secret key makes the collision attack impractical. OAuth 1.0 uses HMAC-SHA1 for request signing.

Can I hash a file with SHA1?

Yes. Switch to the File tab and drop any file. MD5, SHA1, SHA256 and SHA512 are all computed simultaneously in your browser using the Web Crypto API. Your file is never uploaded to any server.

What was the SHAttered attack?

SHAttered was the first practical SHA1 collision, published in 2017 by Google and CWI Amsterdam. They produced two different PDF files with identical SHA1 hashes, proving SHA1 was broken for cryptographic use. It required approximately 9.2 quintillion SHA1 computations. See shattered.io for the full details.

What is the difference between SHA1 and SHA256?

SHA1 produces a 160-bit (40 hex character) hash and is deprecated. SHA256 produces a 256-bit (64 hex character) hash and is the current secure standard. SHA256 is part of the SHA-2 family and has no known practical attacks. For any new project, SHA256 should be used instead of SHA1.

SHA1 Hash Generator - File Hashing, Verification & More

Generate SHA1 hashes from text or files, verify integrity, visualize the avalanche effect, detect hash formats, and run HMAC-SHA1 - all in your browser, nothing uploaded.

Always Free File hashing Verification mode Runs in browser

Text · File · Batch · HMAC · Avalanche · Identicon

Hash any file client-side - nothing ever uploaded

Verification mode - confirm hash integrity instantly

Avalanche visualizer - see how one char changes everything

Input text

Uppercase 0 chars

SHA1 Deprecated - use SHA256 for security

Algorithm comparison

Algorithm	Bits	Hex length	Speed	Security
MD5	128	32	Fastest	⚠️ Broken
SHA1 ← you are here	160	40	Fast	⚠️ Deprecated
SHA256	256	64	Fast	✅ Secure
SHA512	512	128	Medium	✅ Secure

What makes it different

Every other SHA1 tool
does one thing. This does ten.

File hashing, verification, avalanche visualization, HMAC, batch processing, format detection, identicons, and hash chains - all free, all in your browser.

Client-side file hashing

Hash any file directly in your browser. All three algorithms (MD5, SHA1, SHA256) computed simultaneously with a live progress bar.

your files stay private

Hash verification mode

Paste text and an expected SHA1 hash - get an instant match/no-match result with how many characters differ.

one-click integrity check

Avalanche visualizer

Change one character and watch every bit of the 40-character SHA1 hash change - highlighted in red character by character.

educational, shareable

HMAC-SHA1

Generate HMAC-SHA1 with a secret key - the signing mechanism used by OAuth 1.0. Try it with your consumer secret and request string.

OAuth signing

Hash format detector

Paste any hash and identify which algorithm produced it based on length and format - useful when you find a hash with no label.

identify unknown hashes

Hash identicon

Visualize your SHA1 hash as a unique pixel identicon - download it as PNG. Every hash produces a completely different pattern.

visual fingerprint

Quick guide

Generate SHA1 hashes in seconds

Choose your mode

Pick Text for quick hashing, File for large files, Verify for integrity checks, or Batch for multiple inputs at once.

Type, paste, or drop

Hash updates live as you type. Drop any file for client-side hashing - progress bar shows live status, nothing is uploaded.

Copy, verify, or explore

Copy the hash, verify against an expected value, generate an identicon, or explore the avalanche effect.

What is SHA1 and should you still use it?

SHA1 (Secure Hash Algorithm 1) was designed by the NSA and published in 1995. It produces a 160-bit (40 hexadecimal character) hash. For over 20 years it was the dominant algorithm for SSL/TLS certificates, digital signatures, and software integrity checks.

In 2017, Google and CWI Amsterdam published the SHAttered attack - the first practical SHA1 collision, where two different PDF files were crafted to produce the same SHA1 hash. This took approximately 9.2 quintillion SHA1 computations, costing around $110,000 in cloud computing. While expensive, this demonstrated that SHA1 was practically broken for security-sensitive use cases. All major browsers stopped accepting SHA1 certificates in 2017.

SHA1 vs SHA256: SHA1 produces a 40-character hash (160 bits). SHA256 produces a 64-character hash (256 bits). SHA256 is part of the SHA-2 family and has no known practical attacks. For any new project, use SHA256. The speed difference is negligible on modern hardware.

Where SHA1 is still acceptable

For non-security checksums - verifying file integrity where an attacker cannot craft a malicious file - SHA1 remains acceptable, though SHA256 is preferred for consistency. SHA1 is also still used in HMAC contexts (HMAC-SHA1) where it remains reasonably secure due to the secret key preventing the collision attack.

FAQ

SHA1 questions,
answered.

Everything about SHA1, when to use it, and what to use instead.

Ask a question

What is SHA1?

SHA1 is a cryptographic hash function producing a 160-bit (40 hex character) hash. It was the standard for SSL certificates and digital signatures for over 20 years but was deprecated in 2017 after the SHAttered collision attack was demonstrated.

Is SHA1 safe to use?

SHA1 is deprecated for security-sensitive uses like digital signatures and certificates. For non-security checksums it is still acceptable, but SHA256 is recommended for all new projects. HMAC-SHA1 remains reasonably safe when a strong secret key is used.

What is the SHAttered attack?

SHAttered was the first practical SHA1 collision, published in 2017 by Google and CWI Amsterdam. They produced two different PDF files with the same SHA1 hash, demonstrating that SHA1 was practically broken for cryptographic use. See shattered.io for details.

What is HMAC-SHA1 used for?

HMAC-SHA1 is used by OAuth 1.0 for signing API requests. Despite SHA1 being deprecated, HMAC-SHA1 is still considered reasonably safe for message authentication because the secret key prevents the collision attack that broke plain SHA1.

Are my files uploaded when I use file hashing?

No. File hashing uses the Web Crypto API and runs entirely in your browser. Your files are never sent to any server and can be hashed even offline once the page has loaded.

SHA1 Hash Generator - File Hashing, Verification & More

Every other SHA1 tooldoes one thing. This does ten.

Client-side file hashing

Hash verification mode

Avalanche visualizer

HMAC-SHA1

Hash format detector

Hash identicon

Generate SHA1 hashes in seconds

Choose your mode

Type, paste, or drop

Copy, verify, or explore

What is SHA1 and should you still use it?

Where SHA1 is still acceptable

Other hash generators

SHA256 Hash Generator

MD5 Hash Generator

Base64 Encoder/Decoder

URL Encoder Decoder

SHA1 questions,answered.

Every other SHA1 tool
does one thing. This does ten.

SHA1 questions,
answered.