Why is MD5 listed as broken?

MD5 is cryptographically broken for security use cases. For non-adversarial integrity checking it still works fine. For security-sensitive tasks use SHA-256 or SHA-512.

Which hash algorithm should I use?

Use SHA-256 for most purposes. It is the modern standard used by Git, Linux distributions, and software publishers. SHA-512 provides a larger security margin. Avoid MD5 and SHA-1 for security-critical use cases.

Free Online File Hash Generator

Calculate SHA-256, SHA-512, SHA-1, and MD5 checksums for any file — instantly and privately in your browser. No uploads, no servers. Drag and drop large files with real-time progress tracking.

Drop any file here or click to browseWorks with files of any size — fully processed in your browser

Related Developer Tools

HMAC Generator Bcrypt Generator Certificate Decoder JWT Decoder

Last updated: May 24 2026

Reviewed by the QuickTooly Team

File Hash Generator Guide

Why Use QuickTooly's File Hash Generator?

100% private: Files never leave your device — all hashing runs locally in the browser.
Large file support: Streams files in chunks with a real-time progress bar — no upload limits.
Multiple algorithms: SHA-256, SHA-512, SHA-1, and MD5 — choose the right one for your use case.
Built-in verification: Paste an expected checksum to confirm integrity with an instant match / mismatch badge.
No installation: Works entirely in your browser — no plugins, no software, no sign-up.
100% free: Unlimited hashing, no watermarks, no rate limits.

What Is a File Hash / Checksum?

A file hash (or checksum) is a fixed-length string produced by running a file through a cryptographic hash function. Even a single-bit change in the file produces a completely different hash — making checksums ideal for verifying file integrity after downloads, transfers, or storage.

Common use cases include verifying software downloads against a publisher's published SHA-256 hash, detecting accidental corruption in backups, comparing duplicate files without reading their full content, and signing or authenticating data in security pipelines.

Which Algorithm Should You Use?

SHA-256 — The modern standard. Used by Git, most Linux distributions, and software publishers for download verification. Recommended for all new use cases.
SHA-512 — Stronger than SHA-256 and faster on 64-bit CPUs. Use when maximum security margin is required.
SHA-1 — Deprecated for cryptographic security but still widely used for checksums in legacy tools, Git object IDs, and non-security contexts.
MD5 — Cryptographically broken; do not use for security. Still ubiquitous for non-security checksums, CDN ETags, and legacy compatibility.

How to Verify a File Hash

Verifying a checksum confirms that a file is exactly what it claims to be:

Download the file and locate the published hash on the software's official release page.
Drop the file into the tool above and select the same algorithm (usually SHA-256).
Paste the expected hash into the Verify field — a green ✓ Match badge confirms integrity.
A mismatch means the file was corrupted, tampered with, or is the wrong version — do not use it.

How This Tool Works Under the Hood

SHA-256, SHA-512, and SHA-1 are computed using the browser's native SubtleCrypto API — the same cryptographic engine used by HTTPS. MD5 is computed via the open-source node-forge library. Files are read in 2 MB chunks using the FileReader API, enabling accurate progress reporting even for multi-gigabyte files. Nothing is sent to any server.

Frequently Asked Questions

Is my file uploaded to your servers?

No. The file never leaves your device. All hashing is performed locally using browser APIs. QuickTooly has no visibility into the file's name, size, or contents.

What is the maximum file size?

There is no hard limit imposed by the tool. File size is only constrained by available browser memory. Files are processed in 2 MB chunks, so even very large files (10 GB+) can be hashed as long as your system has enough RAM.

Why is MD5 shown but listed as broken?

MD5 is cryptographically broken — meaning it is theoretically possible to engineer two different files with the same hash. For integrity checking of downloads or non-adversarial data, MD5 still works fine. For digital signatures, certificates, or security-sensitive use cases, use SHA-256 or SHA-512.

Can I hash multiple files at once?

Currently, the tool hashes one file at a time. To verify multiple files, simply drop each file in turn and compare the result to its corresponding published hash.

How do I find the expected SHA-256 hash for a download?

Most software publishers list checksums on their official download page — look for a .sha256 file, a "Checksums" section, or a "Verify your download" link. For Linux distributions (Ubuntu, Fedora, etc.) checksums are always provided alongside the ISO image.