SHA-1 Hash Generator

SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function developed by the NSA and published by NIST in 1995. It produces a 160-bit (20-byte) hash value, displayed as a 40-character hexadecimal string. SHA-1 processes input in 512-bit blocks through 80 rounds of bitwise operations, modular additions, and non-linear functions. Each block updates a 160-bit internal state, and after all blocks are processed, the final state is the hash output.

No. SHA-1 has been considered broken since 2017, when Google and CWI Amsterdam demonstrated the first practical collision (the SHAttered attack). Major standards bodies, browsers, and certificate authorities have deprecated SHA-1 for digital signatures, TLS certificates, and code signing. Use SHA-256 or higher for any new cryptographic application. SHA-1 is only acceptable for legacy compatibility (e.g., older git operations) and non-security applications.

Paste your text into the input box on this page, or switch to the File tab and drop your file. The SHA-1 hash appears instantly — generated entirely in your browser using the Web Crypto API. No upload, no signup, completely free with no usage limits.

SHA-1 produces a 160-bit hash (40 hex chars) while SHA-256 produces a 256-bit hash (64 hex chars). SHA-256 is part of the more modern SHA-2 family and has no known practical attacks, while SHA-1 has been broken since 2017 (practical collisions demonstrated). SHA-256 is the recommended choice for all new cryptographic work. Both are similar in speed for typical inputs.

A SHA-1 hash is always 160 bits, which is 20 bytes. In hexadecimal (the standard text representation) it is 40 characters using 0-9 and a-f. In Base64 it is 28 characters with padding. The empty string hashes to da39a3ee5e6b4b0d3255bfef95601890afd80709.

No — SHA-1 is a one-way function. Given a SHA-1 hash, no efficient algorithm exists to compute the original input. However, common inputs (short passwords, dictionary words) can be found in rainbow tables. Additionally, collision attacks against SHA-1 mean an attacker can deliberately create two different inputs with the same SHA-1 hash, which is why it should not be used for security.

Despite being broken for security, SHA-1 is still used in 2026 for: git commit and object IDs (the Git project is migrating to SHA-256 but most repos still use SHA-1), legacy TLS certificates (now deprecated), older version control systems, file integrity checks where collision resistance isn't critical, and APIs that require SHA-1 for backwards compatibility.

SHA-1 was deprecated because its 160-bit output is too small to resist modern collision attacks. In 2017, the SHAttered attack publicly demonstrated a practical SHA-1 collision using ~110 GPU-years of computation. By 2020, the chosen-prefix collision attack reduced this to about $45,000 of cloud compute. This makes SHA-1 unsuitable for any application where an adversary could benefit from creating collisions (signatures, certificates, code authenticity).

SHA-1 is roughly 20-30% faster than SHA-256 on most CPUs without specialized hardware. However, modern x86 and ARM processors include SHA-NI / Crypto Extensions that accelerate both algorithms, making the difference negligible in many real-world scenarios. The minor speed advantage is not a good reason to choose SHA-1 over SHA-256 given the security difference.

Yes — as of 2026, most git repositories still use SHA-1 for commit hashes, tree IDs, and blob IDs. The git project has been working on transitioning to SHA-256 since 2018; SHA-256 support is included in git 2.29+ but requires explicit opt-in (git init --object-format=sha256). For everyday git use, SHA-1 collision attacks aren't practically exploitable because they would require massive resources and produce easily detectable artifacts.