# Hash Generator — Manual

> Full feature reference for the Hash Generator: text and file hashing, every algorithm, HMAC, hex output, the passphrase generator, and the limits.

Source: https://www.jpkc.com/db/en/tools/hash/manual/

Back to the overview: [Hash Generator](https://www.jpkc.com/db/en/tools/hash/) · Open the tool live: [www.jpkc.com/tools/hash/](https://www.jpkc.com/tools/hash/)

This manual describes the **Hash Generator** in full: how text and file hashing work, which algorithms exist, what HMAC does, and what limits apply.

## Layout of the interface

The tool is split into two areas:

1. **Text hashing** (top) — on the left the input (**Input** with the **Message** field and the optional **HMAC Secret Key**), on the right the output (**Output**) and the **Algorithms** buttons.
2. **File hashing** (**File Hash**, bottom) — on the left a drop area for a file, on the right the result table **File Checksums**.

## Text hashing

### Input and flow

You type or paste your text into the **Message** field (a multi-line text area, placeholder "Enter text to hash…"). Then you click one of the **Algorithms** buttons. **Important:** the hash is computed **when you click an algorithm button**, not automatically as you type — so you deliberately choose which algorithm to see. The result appears in the **Output** field as a hexadecimal string.

The **Output** field is editable (`contenteditable`), and the **Copy** button next to it puts the displayed hash on your clipboard. Before your first click it shows the hint "Select an algorithm below…".

The **Message** field also keeps a local **history**: after each hash, the message is saved so you can recall earlier inputs.

### Output encoding

All text hashes are output as **hexadecimal** (`CryptoJS.enc.Hex`) — lowercase, no separators. There is no Base64 or other encoding for the text output. The output length depends on the algorithm (e.g. 32 hex characters for MD5, 64 for SHA-256, 128 for SHA-512).

### The algorithms in detail

The buttons are grouped by family. Each plain button produces the raw hash; the HMAC buttons produce the keyed variant (see below).

#### MD5

- **MD5** — 128-bit hash, 32 hex characters. Very fast but **cryptographically broken** (collisions are practically achievable). Use only as a non-security checksum.
- **HMAC** (HMAC-MD5) — MD5 with a secret key.

#### SHA-1 / SHA-2

- **SHA-1** — 160-bit, 40 hex characters. Also **broken**; for compatibility or simple checksums only.
- **224** (SHA-224) — 56 hex characters.
- **256** (SHA-256) — 64 hex characters. Today's standard for file integrity.
- **384** (SHA-384) — 96 hex characters.
- **512** (SHA-512) — 128 hex characters.
- Each of these five has its own **HMAC** button (HMAC-SHA-1, HMAC-SHA-224/256/384/512).

#### SHA-3

- **224**, **256**, **384**, **512** (SHA-3 (224/256/384/512)) — the modern Keccak-based family. Unlike SHA-2: only the **512-bit variant** has an **HMAC** button (HMAC-SHA-3); SHA-3 (224/256/384) have no HMAC button.

#### RIPEMD

- **RIPEMD-160** — 160-bit, 40 hex characters.
- **HMAC** (HMAC-RIPEMD-160) — with a secret key.

### HMAC — keyed authentication

HMAC stands for **Keyed-Hash Message Authentication Code**. Unlike a plain hash, HMAC combines the message with a **secret key** — so you can verify not only *that* a message is unchanged, but *that it came from someone holding the key* (authenticity). Typical use: API request signatures and webhook verification.

How to use it:

1. Enter your key in the **HMAC Secret Key** field (marked "(optional)" in the tool, with the note "Required for HMAC variants" — i.e. needed for the HMAC buttons).
2. Click an **HMAC** button (e.g. HMAC next to SHA-256).
3. The result is the HMAC of the message under that key, again as hex.

#### Passphrase generator (key button)

Next to the key field sits a button with a key icon ("Generate secure passphrase"). It fetches a **64-character random passphrase** from the server and writes it into the **HMAC Secret Key** field. The string is generated server-side with a cryptographically secure random generator (`random_int`) from upper/lowercase letters, digits, and special characters. This is the **only** server interaction of the tool — the text you hash is never transmitted.

## File hashing (File Hash)

The **File Hash** area computes checksums for an entire file — handy for verifying a download against a published value.

### Choosing a file

Drag a file via **drag & drop** into the drop area ("Drag & drop a file here") or click it to open the file dialog. The name and size are then shown; the X removes the selection again. The maximum is **100 MB** — larger files are rejected with an error message.

### Hashing

Clicking **Hash File** reads the file locally as an `ArrayBuffer` (via the browser's `FileReader`) and computes **eight checksums at once**. A progress indicator runs during the computation ("Computing hashes…"). The results appear in the **File Checksums** table, each with its own copy button.

Computed — in this order — are **MD5, SHA-1, SHA-256, SHA-384, SHA-512, SHA-3 (256), SHA-3 (512), RIPEMD-160** (all as hex). Note: file hashing covers a slightly **different selection** than text hashing — SHA-224, SHA-3 (224), and SHA-3 (384) are not included here, and HMAC is text-only.

### The tech behind it

- **SHA-1, SHA-256, SHA-384, SHA-512** run through the browser's native **Web Crypto API** (`crypto.subtle.digest`) — fast and asynchronous.
- **MD5, SHA-3 (256), SHA-3 (512), RIPEMD-160** are computed by **CryptoJS**, because the Web Crypto API doesn't offer these algorithms.

Here too: everything happens **locally in the browser**. The file is never uploaded.

## Operational limits — in brief

- **Privacy:** text and files are processed strictly client-side; only the optional passphrase generator contacts the server (and sends none of your content).
- **File limit:** max **100 MB** per file.
- **Output:** always **hexadecimal**, lowercase.
- **Text computation:** button-triggered (one click per algorithm), not live as you type.
- **HMAC:** a key in the **HMAC Secret Key** field is required; not available for every SHA-3 subtype (only SHA-3 (512)).

For the introduction and the audiences, see the [overview page](https://www.jpkc.com/db/en/tools/hash/). Concrete workflows are in the [examples](https://www.jpkc.com/db/en/tools/hash/examples/), the security context in the [tips & tricks](https://www.jpkc.com/db/en/tools/hash/tips/). You can try everything directly in the [tool](https://www.jpkc.com/tools/hash/).