Paste text or drop a file. Hashes computed locally in your browser. Nothing is sent to any server.
Nothing uploaded — runs entirely in your browser via Web Crypto API
📂
Drop a file here or click to browse
Any file type, any size — hashed locally in your browser
📂
Or drop a file to verify its checksum
Expected hash (paste the checksum you want to compare against):
output
computing...
About hashchop
hashchop generates cryptographic hash digests entirely inside your browser using the
Web Crypto API —
the same cryptography standard built into every modern browser. Your text and files never leave your device.
There is no server, no logging, no tracking of what you hash.
A hash function takes any input — a password, a file, a JSON payload, an entire database dump — and produces
a fixed-length fingerprint. The same input always produces the same fingerprint. Any change to the input,
even a single character, produces a completely different fingerprint. This makes hashes useful for verifying
file integrity, storing passwords safely, generating deterministic IDs, and signing data.
hashchop supports SHA-256, SHA-512, SHA-384, and SHA-1. It also supports drag-and-drop file hashing for
any file type and any file size — useful for verifying software downloads against published checksums.
Legacy compatibility (old systems, old tools), Git internal objects
New security-critical applications — SHA-1 has known collision vulnerabilities
Frequently asked questions
Is my data sent to a server?
No. hashchop uses the browser's built-in Web Crypto API. Your text and files are processed entirely on your device. Nothing is transmitted anywhere. You can verify this by taking your device offline — the tool still works.
How do I verify a file download?
Switch to the Verify tab. Drop your downloaded file in the file zone, then paste the expected checksum (from the software's release page) into the "Expected hash" field. hashchop will compare the computed hash against your expected value and show a match or mismatch.
Does hashchop support MD5?
No. MD5 is not included in the Web Crypto API because it is cryptographically broken — it has known collision attacks and should not be used for any security-sensitive purpose. hashchop uses SHA-256 (the modern standard), SHA-512, SHA-384, and SHA-1 (legacy only). If you need MD5 for legacy system compatibility, use your operating system's built-in tools: md5sum on Linux, md5 on macOS, or Get-FileHash -Algorithm MD5 on Windows.
What is a checksum?
A checksum (or hash digest) is a short, fixed-length string that acts as a fingerprint for data. Software publishers post checksums for their downloads so users can verify the file hasn't been tampered with or corrupted in transit. If the checksum you compute locally matches the one published by the developer, the file is intact and authentic.
Can I hash very large files?
Yes. hashchop reads files using the File API and streams them through the Web Crypto API. There is no file size limit imposed by the tool itself — the limit is your device's available memory. Files in the hundreds of megabytes work fine. Very large files (several gigabytes) may take a few seconds and require sufficient RAM.
Is SHA-1 still safe to use?
SHA-1 has known theoretical and practical collision vulnerabilities — two different inputs can produce the same hash. It should not be used for new security-critical applications (signatures, certificates, password storage). It is still fine for non-security uses like identifying Git objects or matching against legacy checksums from older software projects.
Which algorithm should I use?
For most purposes: SHA-256. It is the current standard, widely supported, and the right choice for file integrity, API request signing, and general checksums. Use SHA-512 when you need the highest security margin. Use SHA-384 for Subresource Integrity (SRI) tags in HTML. Use SHA-1 only when you must match an existing legacy checksum.