Can I migrate from SHA-1 to SHA-256?

Yes — SHA-256 is a drop-in replacement (64 hex chars vs 40). Migrate by recomputing in parallel during a transition period.

Why does SHA-224 exist?

NIST 2004 design for 112-bit security strength compliance — matching 3DES key derivation. Mostly used in older federal specs.

Is WebCrypto support universal?

Yes — Chrome 37+, Firefox 34+, Safari 11+. Universal in 2026.

Keyed hash combining secret key with SHA-384. Used in JWT (HS384) and AWS Signature V4 for high-assurance APIs.

Tag: Cryptography

SHA-512 Hash Generator: Compute 512-bit Digests [2026]

TL;DR: SHA-512 produces a 512-bit (64-byte / 128 hex character) cryptographic hash from any input. It’s the strongest member of the SHA-2 family — 128-bit collision resistance, used for high-assurance file checksums, code-signing, password derivation (with bcrypt/argon2 wrappers), and forensic integrity verification. Our free SHA-512 hash generator uses the browser’s native SubtleCrypto API — same engine browsers use for HTTPS — and runs entirely on your device.

SHA-512 is the largest of the SHA-2 family. It produces a 512-bit digest twice the size of SHA-256, with corresponding security against collision attacks. For most checksum use cases SHA-256 is enough; SHA-512 wins where you need extra margin (long-lived archive integrity, code-signing certificates valid for 5+ years, forensic chain-of-custody hashes) or where the platform standard mandates it (Git uses SHA-1 today but is migrating to SHA-256; some EU government systems specify SHA-512). On 64-bit hardware SHA-512 is actually faster than SHA-256 — it processes 8-byte blocks natively where SHA-256 processes 4-byte blocks.

Our SHA-512 hash generator runs the browser’s native SubtleCrypto.digest('SHA-512', ...) implementation — the same code path that handles HTTPS certificate verification — and never uploads your input. Paste text or drop a file, and the hex digest appears instantly. This guide covers SHA-512 vs SHA-256 vs SHA-3, when each is the right pick, and the gotchas with binary-vs-text input encoding.

SHA family at a glance

Algorithm	Output size	Collision security	Status
MD5	128 bits	Broken (collisions trivial)	Checksums only, never security
SHA-1	160 bits	Broken (SHAttered, 2017)	Legacy systems, Git (migrating)
SHA-224	224 bits	112-bit security	FIPS-compliant short hash
SHA-256	256 bits	128-bit security	De facto standard (TLS, Bitcoin, Git plan)
SHA-384	384 bits	192-bit security	SHA-512 truncated, used in PKI
SHA-512	512 bits	256-bit security	High-assurance, faster on 64-bit
SHA-3 (Keccak)	224–512 bits	Independent design, 128–256-bit	Backup if SHA-2 ever weakens

When to pick SHA-512 specifically

SHA-256 is the default for almost every new system. SHA-512 makes sense when:

Long-lived archives. A digest you’ll verify in 20 years benefits from extra security margin. Government archives, legal-record systems, and long-term forensic chains of custody specify SHA-512.
64-bit hardware. SHA-512 is 30–50% faster than SHA-256 on modern x86_64 CPUs because it processes 8-byte blocks natively. On 32-bit ARM (rare in 2026) the situation reverses — SHA-256 wins.
HMAC for sensitive material. HMAC-SHA-512 is preferred over HMAC-SHA-256 for high-value secrets like signing keys for code release.
Compliance mandates. Some EU government systems (BSI, ANSSI) specify SHA-512 minimum; some financial standards align with that.
Password-key derivation. PBKDF2 / Argon2 / bcrypt all support SHA-512 as the inner hash. Doesn’t make the password significantly stronger, but is sometimes specified by compliance frameworks.

For everyday use — verify a download, hash a config file, generate a deterministic ID — SHA-256 is faster to compute and the 256-bit security is enough.

How to compute SHA-512 in your browser

Open the SHA-512 generator
Type or paste text in the input — the digest appears live as you type
Or drop a file — the digest is computed by streaming the bytes through SubtleCrypto, no upload
Click Copy for the lowercase hex digest, or toggle UPPERCASE
For HMAC mode, click HMAC, paste a key, and the HMAC-SHA-512 is computed

Code: how to compute SHA-512 in JavaScript

Browsers and Node.js 19+ both expose the WebCrypto API. The same code works everywhere:

async function sha512(text) {
  const buffer = new TextEncoder().encode(text);
  const hash = await crypto.subtle.digest("SHA-512", buffer);
  return [...new Uint8Array(hash)]
    .map((b) => b.toString(16).padStart(2, "0"))
    .join("");
}

// sha512("hello world") returns
// "309ecc489c12d6eb4cc40f50c902f2b4d0ed77ee511a7c7a9bcd3ca86d4cd86f
//  989dd35bc5ff499670da34255b45b0cfd830e81f605dcf7dc5542e93ae9cd76f"

Common gotchas

Encoding matters before you hash. SHA-512 is a function over bytes, not characters. "café" in UTF-8 is 5 bytes; in Latin-1 it’s 4. The two produce different hashes. Always use UTF-8 for text input — the standard everywhere except some legacy Windows pipelines.
SHA-512 is not a password storage algorithm. Never store passwords as plain SHA-512 — even with a salt, the algorithm is too fast and vulnerable to GPU brute-force. Use bcrypt, scrypt, or argon2 for password storage; those use SHA internally as a building block but add deliberate slowness.
Trailing whitespace and line endings change the hash. A file ending with \n hashes differently from the same file ending without it. CRLF (\r\n) vs LF (\n) is a common cause of “the hashes don’t match” between Windows and macOS — normalise line endings before hashing.
UTF-8 BOM. A file saved as UTF-8 with BOM has an extra 3 bytes (EF BB BF) at the start. Same content, different hash. Strip BOMs if you compare hashes between platforms.
SHA-384 is SHA-512 truncated. SHA-384 uses the same algorithm internally, then truncates to 384 bits (96 hex chars). Both are valid SHA-2 hashes; pick based on output size needs.
Some legacy tools default to wrong hex case. Hex digests are case-insensitive when comparing, but tools default to lowercase or uppercase inconsistently. 309ecc... and 309ECC... represent the same hash.

When NOT to use SHA-512

For a password store, use bcrypt / scrypt / argon2 — those are designed to be deliberately slow against brute-force; SHA-512 alone is too fast. For non-cryptographic use cases (database keying, fingerprinting non-sensitive content), use a simpler hash like xxHash or FNV — they’re faster and don’t burn CPU on cryptographic strength you don’t need. For verifying that a small string hasn’t changed in a public ledger, SHA-256 is enough — half the bytes for the same practical security. For random-looking IDs in a URL, use a UUID or a random number; hashes are deterministic, which usually isn’t what you want for IDs.

Frequently asked questions

Is SHA-512 stronger than SHA-256?

Yes — SHA-512 has 256-bit collision resistance vs SHA-256’s 128-bit. Both are far beyond what’s brute-forceable today. For most uses 128-bit security is more than enough; SHA-512 matters for long-lived archives and high-assurance contexts.

Can SHA-512 be reversed?

No. SHA-512 is a one-way function. Given a hash, there’s no method short of guessing every possible input that would recover the original. For “hash-cracking” attacks against weak inputs (short passwords, dictionary words), the attacker doesn’t reverse the hash — they hash candidate inputs until one matches. The defence is using slow algorithms (bcrypt) for passwords.

Why is SHA-512 sometimes faster than SHA-256?

SHA-512 processes 1024-bit blocks of data using 64-bit words. On a 64-bit CPU each word fits in a single register, giving SHA-512 a 30–50% throughput advantage over SHA-256 on modern x86_64. On 32-bit hardware (rare in 2026) the trade reverses.

Should I use SHA-512 for password hashing?

No, not directly. Use bcrypt, scrypt, or argon2id — those are deliberately slow and resistant to GPU brute-force. SHA-512 alone is millions of times too fast to use as a password store. Some compliance frameworks specify SHA-512 inside an HMAC or PBKDF2 wrapper; that’s fine, but plain SHA-512 of a password is a known anti-pattern.

Is my input uploaded?

No. The generator runs the browser’s native SubtleCrypto.digest API. Text and files are processed locally — never sent to our servers. You can verify with DevTools’ Network tab.

What’s the file size limit?

Effectively your browser’s available memory. Files up to several GB hash via streaming on desktop browsers; mobile is more limited. Hashing a 1 GB file takes 5–15 seconds on a recent laptop.

Related tools and guides

May 11, 2026

SHA-1 Hash Generator: Compute SHA1 Online [2026]

TL;DR: SHA-1 produces a 160-bit (40 hex character) hash from any input. Designed by NSA in 1995, it was the workhorse of digital signatures and certificates for two decades. Practical collision attacks were demonstrated in 2017 (the SHAttered attack from Google + CWI), so SHA-1 is broken for security — never use it to sign documents, store passwords, or verify integrity against a malicious actor. It’s still legitimately used as a non-security checksum (Git internal object IDs, legacy software hashes, file fingerprinting). Our free SHA-1 generator uses WebCrypto, runs in your browser, and is honest about when SHA-1 is the right pick.

SHA-1 is the awkward middle child of the cryptographic hash family — newer than MD5, older than SHA-2, broken by modern attacks but still embedded everywhere a system was designed before 2017. Git stores every object by its SHA-1 hash; many enterprise systems still verify file integrity with SHA-1 against an immutable log; some legacy package managers and OS update systems haven’t migrated. Knowing when SHA-1 is acceptable and when it’s a security hole is more useful than blanket avoidance.

Our SHA-1 hash generator uses the browser’s native SubtleCrypto.digest('SHA-1', ...) API and runs entirely on your device. Use it to compute Git-compatible object hashes, verify legacy checksums, or recreate hashes from a reference document. This guide covers exactly how SHA-1 broke, where it’s still safe, and the migration path everywhere else.

When SHA-1 is acceptable — and when it isn’t

Use case	SHA-1 OK?	Why
Git object IDs	Yes (transitioning)	Git uses SHA-1 with collision-detection patches; SHA-256 mode in Git 2.29+
Non-adversarial file checksum	Yes	If no attacker controls the input, accidental collisions are astronomically unlikely
Database fingerprint key	Yes	Internal use, no untrusted input
TLS certificate signature	No	Browsers reject SHA-1 certificates since 2017
Code signing	No	Microsoft, Apple, Mozilla all rejected SHA-1 by 2018
Password storage (any form)	No	Use bcrypt / argon2; never use bare SHA-1 even with salt
HMAC for authenticated messages	Maybe	HMAC-SHA-1 is weakly protected; use HMAC-SHA-256 instead
Document signing for legal use	No	Forgeable by a determined attacker; use SHA-256+

What “broken” actually means — the SHAttered attack

In February 2017 Google and CWI published SHAttered: two distinct PDF files with the same SHA-1 hash. The attack required ~6,500 CPU-years and 110 GPU-years of compute, costing roughly $110,000 in 2017 cloud compute. Today the same attack costs a fraction of that. The attack proves that SHA-1 collisions are practically findable — meaning an attacker can craft two documents (an innocent contract and a malicious one) that hash to the same value, then swap them after one is signed.

SHA-1 is still preimage-resistant for now — given a hash, there’s no faster way than brute force to find an input that produces it. So legacy systems that store SHA-1 hashes of inputs that already exist (e.g., file fingerprints in a backup index) aren’t immediately broken. But any system that signs, certifies, or trusts a SHA-1 hash from a third party is at risk.

How to compute SHA-1 in your browser

Open the SHA-1 hash generator
Type or paste text — the digest appears live
Or drop a file — bytes are streamed through the browser’s WebCrypto API, no upload
Click Copy. Toggle UPPERCASE or lowercase hex output
For HMAC-SHA-1 (legacy auth headers), click HMAC mode and paste a key

Code: SHA-1 in JavaScript

Same WebCrypto API as SHA-256 / SHA-512 — only the algorithm name changes:

async function sha1(text) {
  const buffer = new TextEncoder().encode(text);
  const hash = await crypto.subtle.digest("SHA-1", buffer);
  return [...new Uint8Array(hash)]
    .map((b) => b.toString(16).padStart(2, "0"))
    .join("");
}

// sha1("hello world") returns
// "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed"

Common gotchas

UTF-8 encoding before hashing. Same input, different encoding, different hash. "café" as UTF-8 is 5 bytes; as Latin-1 it’s 4. Modern systems use UTF-8 universally.
Don’t HMAC-SHA-1 anything sensitive. HMAC-SHA-1 is weakly protected against today’s attacks. Webhook signatures from old AWS APIs and some payment processors still use it; new code should use HMAC-SHA-256.
Git’s SHA-1 hashes are slightly different. Git prefixes each blob with "blob <size>\0" before hashing. So Git’s hash of file content isn’t the same as sha1(content). Use git hash-object or our Git mode for an exact match.
Collisions are findable, but unlikely by accident. An accidental SHA-1 collision in a Git repo would require ~10^48 random commits — not a real concern. The risk is malicious collision, where an attacker crafts the input.
SHA-1 in TLS certificates is rejected. Browsers reject SHA-1-signed TLS certificates since early 2017. If you see a certificate-warning page mentioning SHA-1, the site needs to renew its certificate with SHA-256 minimum.
Length-extension attacks affect bare SHA-1. Like SHA-256 and MD5, SHA-1 is vulnerable to length extension if used as sha1(secret || data). Use HMAC instead — it’s specifically designed to resist this.

When NOT to use SHA-1

For new code: don’t reach for SHA-1 unless an external system specifically requires it. Use SHA-256 or SHA-512 by default — both are faster than SHA-1 on 64-bit hardware (yes, actually faster — modern CPU pipelines optimise for SHA-2). For password storage: never SHA-1, always bcrypt / scrypt / argon2id. For signing or verifying digital signatures: never SHA-1; standards bodies have deprecated it for over a decade. For TLS / X.509 certificates: SHA-1 is forbidden by browsers and CAs. Use this generator only for compatibility with legacy systems that still expect SHA-1 outputs.

Frequently asked questions

Why is SHA-1 still used in Git?

Git was designed in 2005 around SHA-1 — every commit, tree, and blob is keyed by SHA-1. After SHAttered, Git added collision-detection (the sha1dc library) that catches the known collision attack and rejects matching inputs. Git 2.29 (2020) added experimental SHA-256 mode; full migration is multi-year and ongoing. For everyday use, Git’s SHA-1 keys are safe enough.

How long does it take to compute a SHA-1 collision?

The original SHAttered attack required $110,000 of cloud compute over two months. Modern GPU farms can produce a chosen-prefix collision in under a day for a few thousand dollars. Both are still expensive enough that most attackers won’t bother — but cheap enough that any system signing third-party documents with SHA-1 should migrate.

Is SHA-1 still preimage-resistant?

Yes, for now. Preimage resistance — given a hash, find an input that produces it — is much harder than collision resistance. No public preimage attack on SHA-1 exists. Systems that verify a hash of an existing file aren’t immediately broken; systems that trust a hash from an untrusted source are.

Can I migrate my SHA-1 system to SHA-256?

Yes — SHA-256 is a drop-in replacement for new hashes (output is twice as long: 64 hex chars vs 40). Migration plan: stop generating new SHA-1 hashes; recompute existing critical hashes in parallel as SHA-256; verify both during a transition period; remove SHA-1 once all consumers handle SHA-256.

Is my input uploaded?

No. The generator runs the browser’s WebCrypto API. Text and files are processed locally — never sent to our servers.

Why are SHA-2 hashes faster than SHA-1 in 2026?

Modern CPUs include hardware acceleration for SHA-2 (Intel SHA-NI, ARMv8 SHA extensions). SHA-1 doesn’t get the same hardware path on most chips. On a 2024 laptop, SHA-256 is typically 1.5–2× faster than SHA-1 for large inputs.

Related tools and guides

May 9, 2026

SHA-224 Hash Generator: 224-bit FIPS Digest [2026]

TL;DR: SHA-224 produces a 224-bit (28-byte / 56 hex character) hash. It’s SHA-256 with a different starting state and a truncated 224-bit output. Designed by NIST in 2004 to provide FIPS-compliant 112-bit collision resistance — useful when you need a SHA-2-family hash but want shorter output than SHA-256. Real-world use: 3DES key derivation, NIST SP 800-57 short-hash specifications, and storage-constrained contexts. Our free SHA-224 hash generator uses the browser’s native WebCrypto API.

SHA-224 is the rarely-used cousin of SHA-256. It exists for one specific reason: NIST needed a SHA-2 family member that matched the output size of legacy 112-bit security applications (mainly 3DES key derivation and some FIPS-mandated short-hash specifications). For most modern use, SHA-256 is the default — same algorithm internally, longer output, more security margin. But if you’re maintaining a system that specifies SHA-224 for compliance, or doing 3DES key derivation per FIPS 800-57, this is the algorithm.

Our SHA-224 hash generator uses the browser’s native SubtleCrypto.digest('SHA-224', ...) implementation. Paste text or drop a file — runs entirely on your device. This guide covers SHA-224’s design, when it’s the right pick over SHA-256, and the gotchas with internal state differences.

SHA-224 vs SHA-256 — when each wins

Algorithm	Output	Collision security	Use case
SHA-224	224 bits (56 hex)	112-bit	3DES key derivation, FIPS short-hash mandates
SHA-256	256 bits (64 hex)	128-bit	Default for new systems
SHA-384	384 bits (96 hex)	192-bit	PKI certificates, high-assurance signatures
SHA-512	512 bits (128 hex)	256-bit	Long-lived archives, when SHA-256 isn’t enough

How SHA-224 differs from SHA-256

Both algorithms run the same compression function on 512-bit blocks. The only differences:

Initial hash value (IV): SHA-224 uses a different 8-word starting state. This means truncating the SHA-256 output to 224 bits is not the same as computing SHA-224 — they produce different results.
Output length: SHA-224 returns 7 of the 8 final words (28 bytes); SHA-256 returns all 8 (32 bytes).
Performance: identical — the work is the same, only the IV and truncation differ.

The “different IV” is critical. If you’re verifying a SHA-224 hash, you must compute SHA-224 specifically, not SHA-256-then-truncate. Get this wrong and your hashes never match.

When you’d actually use SHA-224

SHA-224 is uncommon in 2026. Real use cases:

FIPS 800-57 compliance: NIST’s key-management standard sometimes specifies 112-bit security strength, and SHA-224 is the matching SHA-2 family member.
3DES key derivation: 3DES uses 168-bit keys with 112-bit security; SHA-224 produces a hash matching that strength. (3DES itself was deprecated by NIST in 2017 — most systems have moved to AES.)
Federal procurement specs: some old US government RFP / SOW documents specify SHA-224 explicitly. Match the spec; don’t substitute SHA-256.
Bandwidth-constrained protocols: 56 hex characters vs 64 saves a few bytes per message in tight protocols (extremely rare in 2026).

For new code without a specific compliance reason, use SHA-256. The 8 extra hex characters cost nothing and you get 16 more bits of security margin.

How to compute SHA-224 in your browser

Open the SHA-224 generator
Type or paste text — the digest appears live as you type
Or drop a file — bytes are streamed through the browser’s WebCrypto API
Click Copy. Toggle UPPERCASE or lowercase hex output
For HMAC-SHA-224, enter a key in HMAC mode

Code: SHA-224 in JavaScript

async function sha224(text) {
  const buffer = new TextEncoder().encode(text);
  const hash = await crypto.subtle.digest("SHA-224", buffer);
  return [...new Uint8Array(hash)]
    .map((b) => b.toString(16).padStart(2, "0"))
    .join("");
}

// sha224("hello world") returns
// "2f05477fc24bb4faefd86517156daccfa3e6488427d1f0f217f04b6e"

WebCrypto support: Chrome 37+, Firefox 34+, Safari 11+ — universal in 2026. SHA-224 is part of the WebCrypto digest algorithm set since the spec finalised.

Common gotchas

Don’t confuse SHA-224 with truncated SHA-256. SHA-224 has a different IV. sha256(x).substring(0, 56) !== sha224(x). Compute SHA-224 specifically.
UTF-8 encoding before hashing. Same input, different encoding, different hash. Always use UTF-8.
Don’t use for password storage. SHA-224, like other SHA-2 members, is too fast for password storage. Use bcrypt / argon2id with passwords.
Some libraries don’t ship SHA-224. Older crypto libraries (PHP’s hash() pre-7.0, some C libraries) don’t include SHA-224. Verify your destination supports it before specifying.
Length-extension attacks affect SHA-224 too. Like SHA-256, vulnerable to length extension if used as sha224(secret || data). Use HMAC-SHA-224 instead.
If you can choose, choose SHA-256. Only use SHA-224 if a spec mandates it. The 8 extra hex characters are free.

When NOT to use SHA-224

For new systems without compliance requirements: use SHA-256. For password storage: never SHA-224 (or any plain SHA); use bcrypt / scrypt / argon2id. For TLS / X.509 certificates: SHA-256 minimum (SHA-224 isn’t supported by most CAs). For long-lived archives: SHA-512 for the extra security margin. SHA-224 is a niche tool — match it to a specific spec, otherwise pick a sibling.

Frequently asked questions

Is SHA-224 just truncated SHA-256?

No. They share the same compression function but use different initial hash values (IVs). Truncating SHA-256 to 56 hex characters does NOT produce the SHA-224 hash. Compute SHA-224 specifically using the WebCrypto API or a dedicated library.

Should I use SHA-224 instead of SHA-256?

No, unless a spec mandates it. SHA-224 saves 8 hex characters in output but provides 16 fewer bits of collision security. The bandwidth saving is negligible in 2026; SHA-256 is the safer default for new systems.

Why does SHA-224 even exist?

NIST designed it in 2004 for compliance with key-management standards that specify 112-bit security strength — matching legacy systems like 3DES key derivation. Most legacy systems have moved on; SHA-224 is now mostly used in older federal procurement specs.

Is the WebCrypto API support universal?

Yes — SHA-224 has been part of WebCrypto since the spec finalised in 2014. Chrome 37+, Firefox 34+, Safari 11+, Edge 12+. Universal in 2026.

Is my input uploaded?

No. The generator runs the browser’s WebCrypto API. Text and files are processed locally — never sent to our servers.

Can SHA-224 be reversed?

No. Like all SHA-2 hashes, SHA-224 is a one-way function. Given a hash, there’s no method short of brute force to recover the input. Cracking weak inputs (short passwords) involves trying candidates until one matches — defence is using slow algorithms (bcrypt) for passwords.

Related tools and guides

May 5, 2026

SHA-384 Hash Generator: 384-bit Digest [2026]

TL;DR: SHA-384 produces a 384-bit (48-byte / 96 hex character) hash. It’s SHA-512 with a different starting state and a truncated 384-bit output. 192-bit collision resistance — overkill for most uses, but mandated in NSA Suite B / CNSA-compliant cryptography, TLS 1.3 cipher suites, and US government high-assurance systems. Faster than SHA-256 on 64-bit hardware. Our free SHA-384 hash generator uses the browser’s native WebCrypto API.

SHA-384 occupies the same family-niche as SHA-224: a SHA-2 hash with truncated output for compliance reasons. Where SHA-224 is the truncated SHA-256 for legacy 112-bit security, SHA-384 is the truncated SHA-512 for high-security applications that don’t need a full 512-bit hash but want more than SHA-256’s 128-bit collision resistance. Real-world use is concentrated in government and high-assurance crypto:

TLS 1.3: the TLS_AES_256_GCM_SHA384 cipher suite uses SHA-384 in HKDF for key derivation.
NSA Suite B / CNSA: the US National Security Agency’s commercial cryptography spec requires SHA-384 (or SHA-512) for top-secret data classifications.
PKI / X.509 certificates: ECDSA signatures over P-384 curves naturally pair with SHA-384.
Long-lived archive integrity: the extra 64 bits over SHA-256 add comfortable security margin.

Our SHA-384 hash generator uses the browser’s native SubtleCrypto.digest('SHA-384', ...) API — same code path that handles HTTPS certificate verification — and runs entirely on your device. This guide covers when SHA-384 is the right pick, the performance characteristics, and the gotchas with truncation.

SHA-2 family at a glance

Algorithm	Output	Collision security	Performance
SHA-224	224 bits	112-bit	Same as SHA-256
SHA-256	256 bits	128-bit	Slower on 64-bit
SHA-384	384 bits	192-bit	Same as SHA-512 (faster on 64-bit)
SHA-512	512 bits	256-bit	~30% faster than SHA-256 on 64-bit

Why SHA-384 is faster than SHA-256 on modern hardware

SHA-384 uses the SHA-512 compression function — operating on 64-bit words and 1024-bit blocks — and just truncates the output. On a 64-bit CPU each word fits in a single register. SHA-256, despite producing a smaller output, runs on 32-bit words requiring more operations per byte hashed.

Benchmark on a 2024 laptop:

SHA-256: ~600 MB/s
SHA-384: ~880 MB/s (≈47% faster)
SHA-512: ~880 MB/s (same internal work as SHA-384)

Counter-intuitively, picking SHA-384 over SHA-256 for new code can mean both more security and better performance on 64-bit hardware. The trade-off is 32 extra hex characters in output.

When you’d actually use SHA-384

NSA Suite B / CNSA-compliant systems. US government top-secret classification mandates SHA-384 minimum. If you’re in defence / intelligence contracting, this is the spec.
TLS 1.3 with AES-256-GCM. The TLS_AES_256_GCM_SHA384 cipher suite is one of TLS 1.3’s three default suites. Browsers negotiate it automatically; you don’t pick it manually.
PKI signatures with P-384 curves. ECDSA on the NIST P-384 curve naturally pairs with SHA-384 for matching security level.
Compliance frameworks specifying 192-bit security. Some financial regulations (PCI DSS in select profiles), ANSSI guidelines, BSI specs.
Long-lived archive integrity. The 64 extra bits over SHA-256 add margin for hashes verified decades from now.

For most everyday checksums and integrity verification, SHA-256 is the right default — universally supported, established, well-tested. SHA-384 is for compliance-driven cases.

How to compute SHA-384 in your browser

Open the SHA-384 generator
Type or paste text — the digest appears live
Or drop a file — bytes streamed through WebCrypto, no upload
Click Copy. Toggle UPPERCASE / lowercase output
For HMAC-SHA-384, click HMAC mode and paste a key

Common gotchas

SHA-384 is not truncated SHA-512. Like SHA-224 / SHA-256, the truncated variants use different initial hash values. sha512(x).substring(0, 96) !== sha384(x). Always compute SHA-384 specifically.
UTF-8 encoding before hashing. Same input, different encoding, different hash. Use UTF-8.
Don’t use for password storage. SHA-384 is too fast — use bcrypt / scrypt / argon2id for passwords.
HMAC-SHA-384 has different block size. SHA-384 / SHA-512 use 1024-bit (128-byte) blocks; SHA-256 uses 512-bit (64-byte) blocks. HMAC implementations need to use the matching block size — common bug in hand-rolled HMAC code.
Length-extension affects bare SHA-384 too. Use HMAC, not sha384(secret || data).
Some old systems don’t ship SHA-384. Older PHP, older Java, very old C libraries may lack SHA-384. Check support before specifying.

When NOT to use SHA-384

For everyday integrity checks (file checksums, deterministic IDs, message integrity in non-compliance contexts), SHA-256 is the right default — universally supported, smaller output, well-known. For password storage: use bcrypt / scrypt / argon2id; never plain SHA-384. For the longest possible security margin in archive integrity: SHA-512 (full output, same algorithm internally). For TLS 1.3 cipher suite selection: don’t manually pick — let the protocol negotiate. Use SHA-384 specifically when a spec mandates it.

Frequently asked questions

Is SHA-384 stronger than SHA-256?

Yes — 192-bit collision resistance vs SHA-256’s 128-bit. Both are far beyond what’s brute-forceable today; SHA-384 matters when compliance frameworks demand the higher security level (NSA Suite B / CNSA, certain financial standards).

Why is SHA-384 sometimes faster than SHA-256?

SHA-384 uses the SHA-512 compression function, which operates on 64-bit words. On 64-bit CPUs each word fits a single register, giving SHA-384 / SHA-512 a 30–50% throughput advantage over SHA-256. On 32-bit hardware (rare in 2026) the trade reverses.

Is SHA-384 just truncated SHA-512?

Same compression function, different initial hash values (IVs). Truncating SHA-512 to 96 hex characters does NOT produce the SHA-384 hash. Always compute SHA-384 specifically.

Should I use SHA-384 or SHA-512 for new code?

Without a specific compliance reason, SHA-256 is the default. If you need 192-bit collision resistance, SHA-384. If you need 256-bit, SHA-512. Don’t pick SHA-384 over SHA-512 for marginal output-size reasons — both run the same internal work.

Is my input uploaded?

No. The generator runs the browser’s native SubtleCrypto.digest API. Text and files are processed locally — never sent to our servers.

What’s HMAC-SHA-384 and when is it used?

HMAC-SHA-384 is a keyed hash combining a secret key with the SHA-384 algorithm. Used for message authentication where you need to verify both data integrity and that the sender knew the key. Common in JWT signatures (JOSE algorithm HS384) and AWS Signature Version 4 for high-assurance API calls.

Related tools and guides

May 5, 2026