SHA-256 Hash Generator

Paste text and generate a SHA-256 digest locally for checksums, examples, cache keys, and debugging.

Runs in your browser No upload required Generate
Generate a SHA-256 digest locally with the browser Web Crypto API.

How to use Hash Generator

  1. Paste text into the input box.
  2. Select Generate SHA-256.
  3. Copy the lowercase hexadecimal digest.
  4. Avoid using plain SHA-256 as a password storage method.

Why this tool exists

A hash generator turns input text into a fixed-length digest. SHA-256 is widely used for checksums, integrity checks, cache keys, deduplication, and examples in documentation. CleanWebTools uses the browser Web Crypto API to generate the digest locally, then displays it as lowercase hexadecimal text.

A cryptographic hash is one-way in practical terms, but it is not magic privacy protection. If the original input is short or guessable, someone can hash likely values and compare them. Do not treat a bare hash of an email address, phone number, password, or token as anonymized data. For passwords, use a dedicated password hashing algorithm with salt and work factors, not a simple SHA-256 digest.

This page is intentionally narrow. It generates SHA-256 from text and does not ask for files, secrets, API keys, or server-side processing. That keeps the tool fast and predictable. If you need to compare files, sign payloads, or build authentication schemes, use a purpose-built security workflow rather than a quick web utility.

Use this tool for everyday engineering tasks: checking whether two snippets are identical, creating a deterministic example digest, documenting an API signature input, or producing a quick checksum for non-sensitive text.

Common examples

  • Hash an empty string and confirm you get the canonical constant e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 — a handy sanity check that your TextEncoder and hex conversion are wired up correctly.
  • Hashing the text 'hello' returns 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824, and it stays exactly 64 hex characters whether you hash one word or a multi-GB file.
  • Generate a deterministic cache key from a small JSON snippet: the same input always produces the same 256-bit digest, so two identical payloads collapse to one key for deduplication.

FAQ

Why does the digest come out as '[object ArrayBuffer]' instead of a hex string?

Because crypto.subtle.digest('SHA-256', data) resolves to an ArrayBuffer, not text. You have to convert it yourself: Array.from(new Uint8Array(buf)).map(b => b.toString(16).padStart(2,'0')).join(''). Skip the padStart and any byte below 0x10 loses its leading zero, silently corrupting the hash.

Why shouldn't I use SHA-256 to store passwords?

It is built for speed, not for resisting guessing. A single RTX 4090 churns through about 22 billion SHA-256 hashes per second (hashcat mode 1400, ~21,975 MH/s in the public v6.2.6 benchmark), and because the hash is unsalted, common passwords fall instantly to precomputed rainbow tables. Use a deliberately slow, salted KDF instead — Argon2id (OWASP's first pick) or bcrypt. The same GPU manages only about 184,000 bcrypt guesses per second at the default work factor, and just a few thousand per second at the higher cost factors production systems use — roughly five orders of magnitude slower than raw SHA-256, by design.

Why is crypto.subtle undefined in production but fine on localhost?

SubtleCrypto is only exposed in secure contexts. https:// pages and http://localhost qualify, but a plain http:// page served from a remote host does not, so crypto.subtle reads as undefined there. This mismatch is the single most common cause of 'Cannot read properties of undefined' errors that never showed up in local dev. Also watch the algorithm string: it must be the exact uppercase, hyphenated 'SHA-256' — 'SHA256' or 'sha-256' throws.

By Alpha Loop · Last updated