{"id":167,"date":"2026-05-09T09:20:38","date_gmt":"2026-05-09T13:20:38","guid":{"rendered":"https:\/\/simpletool.io\/blog\/?p=167"},"modified":"2026-05-05T09:21:02","modified_gmt":"2026-05-05T13:21:02","slug":"sha1-hash-generator","status":"publish","type":"post","link":"https:\/\/simpletool.io\/blog\/sha1-hash-generator\/","title":{"rendered":"SHA-1 Hash Generator: Compute SHA1 Online [2026]"},"content":{"rendered":"
TL;DR:<\/strong> SHA-1 produces a 160-bit (40 hex character) hash from any input. Designed by NSA in 1995, it was the workhorse of digital signatures and certificates for two decades. Practical collision attacks were demonstrated in 2017 (the SHAttered attack from Google + CWI), so SHA-1 is broken for security<\/strong> \u2014 never use it to sign documents, store passwords, or verify integrity against a malicious actor. It’s still legitimately used as a non-security checksum (Git internal object IDs, legacy software hashes, file fingerprinting). Our free SHA-1 generator<\/a> uses WebCrypto, runs in your browser, and is honest about when SHA-1 is the right pick.<\/div>\n

SHA-1 is the awkward middle child of the cryptographic hash family \u2014 newer than MD5, older than SHA-2, broken by modern attacks but still embedded everywhere a system was designed before 2017. Git stores every object by its SHA-1 hash; many enterprise systems still verify file integrity with SHA-1 against an immutable log; some legacy package managers and OS update systems haven’t migrated. Knowing when SHA-1 is acceptable and when it’s a security hole is more useful than blanket avoidance.<\/p>\n

Our SHA-1 hash generator<\/a> uses the browser’s native SubtleCrypto.digest('SHA-1', ...)<\/code> API and runs entirely on your device. Use it to compute Git-compatible object hashes, verify legacy checksums, or recreate hashes from a reference document. This guide covers exactly how SHA-1 broke, where it’s still safe, and the migration path everywhere else.<\/p>\n

When SHA-1 is acceptable \u2014 and when it isn’t<\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n
Use case<\/th>\nSHA-1 OK?<\/th>\nWhy<\/th>\n<\/tr>\n<\/thead>\n
Git object IDs<\/td>\nYes (transitioning)<\/td>\nGit uses SHA-1 with collision-detection patches; SHA-256 mode in Git 2.29+<\/td>\n<\/tr>\n
Non-adversarial file checksum<\/td>\nYes<\/td>\nIf no attacker controls the input, accidental collisions are astronomically unlikely<\/td>\n<\/tr>\n
Database fingerprint key<\/td>\nYes<\/td>\nInternal use, no untrusted input<\/td>\n<\/tr>\n
TLS certificate signature<\/td>\nNo<\/td>\nBrowsers reject SHA-1 certificates since 2017<\/td>\n<\/tr>\n
Code signing<\/td>\nNo<\/td>\nMicrosoft, Apple, Mozilla all rejected SHA-1 by 2018<\/td>\n<\/tr>\n
Password storage (any form)<\/td>\nNo<\/td>\nUse bcrypt \/ argon2; never use bare SHA-1 even with salt<\/td>\n<\/tr>\n
HMAC for authenticated messages<\/td>\nMaybe<\/td>\nHMAC-SHA-1 is weakly protected; use HMAC-SHA-256 instead<\/td>\n<\/tr>\n
Document signing for legal use<\/td>\nNo<\/td>\nForgeable by a determined attacker; use SHA-256+<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

What “broken” actually means \u2014 the SHAttered attack<\/h2>\n

In February 2017 Google and CWI published SHAttered<\/a>: two distinct PDF files with the same SHA-1 hash. The attack required ~6,500 CPU-years and 110 GPU-years of compute, costing roughly $110,000 in 2017 cloud compute. Today the same attack costs a fraction of that. The attack proves that SHA-1 collisions are practically<\/em> findable \u2014 meaning an attacker can craft two documents (an innocent contract and a malicious one) that hash to the same value, then swap them after one is signed.<\/p>\n

SHA-1 is still preimage-resistant<\/em> for now \u2014 given a hash, there’s no faster way than brute force to find an input that produces it. So legacy systems that store SHA-1 hashes of inputs that already exist (e.g., file fingerprints in a backup index) aren’t immediately broken. But any system that signs, certifies, or trusts a SHA-1 hash from a third party is at risk.<\/p>\n

How to compute SHA-1 in your browser<\/h2>\n
    \n
  1. Open the SHA-1 hash generator<\/a><\/li>\n
  2. Type or paste text \u2014 the digest appears live<\/li>\n
  3. Or drop a file \u2014 bytes are streamed through the browser’s WebCrypto API, no upload<\/li>\n
  4. Click Copy<\/strong>. Toggle UPPERCASE or lowercase hex output<\/li>\n
  5. For HMAC-SHA-1 (legacy auth headers), click HMAC mode and paste a key<\/li>\n<\/ol>\n

    Code: SHA-1 in JavaScript<\/h2>\n

    Same WebCrypto API as SHA-256 \/ SHA-512 \u2014 only the algorithm name changes:<\/p>\n

    async function sha1(text) {\r\n  const buffer = new TextEncoder().encode(text);\r\n  const hash = await crypto.subtle.digest(\"SHA-1\", buffer);\r\n  return [...new Uint8Array(hash)]\r\n    .map((b) => b.toString(16).padStart(2, \"0\"))\r\n    .join(\"\");\r\n}\r\n\r\n\/\/ sha1(\"hello world\") returns\r\n\/\/ \"2aae6c35c94fcfb415dbe95f408b9ce91ee846ed\"<\/code><\/pre>\n
    Common gotchas<\/h2>\n