No for cryptography. The SHAttered and later attacks made SHA-1 unsafe for signatures and certificates. For non-security identifiers (Git commits, torrent piece hashes) it still works because random collisions are astronomically unlikely.

Why does Git still use SHA-1?

Git uses SHA-1 to identify objects, where the threat model is accidental collisions not targeted attacks. The project is migrating to SHA-256 object IDs but the transition is slow because every repo and tool needs to be updated.

What's the difference between SHA-1 and MD5?

SHA-1 produces 160 bits (40 hex chars); MD5 produces 128 bits (32 hex chars). SHA-1 is slightly slower. Both are broken for cryptography; prefer SHA-256 for any new system.

Can I reverse a SHA-1 hash?

No. Hash functions are one-way. Services claiming to 'decrypt' SHA-1 are actually looking up the hash in a database of precomputed hashes of common inputs.

Does the hash depend on the input encoding?

Yes. We hash text as UTF-8 bytes, which is the standard. If you hash the same text with a different encoding (UTF-16, CP-1252), you'll get a different hash. Stick to UTF-8 for consistency with command-line tools.

SHA1 Hash Generator

Compute SHA-1 digests for checksums and legacy systems.

SHA-1 hashing runs in your browser via Web Crypto. Files and text never upload.

SHA-1 · 160-bit digest · deprecated for security, still used in Git

Text input

Hash each line separately

SHA-1 hash

—

0 chars · lowercase hex

File input

Hash any file up to 500 MB. Processed locally — the file never uploads.

Click to pick a file

Similar tools

Base64 Encoder/Decoder

Encode and decode Base64 text and files, URL-safe variant included.

URL Encoder/Decoder

Percent-encode and decode URLs or just components.

HTML Encoder/Decoder

Escape and unescape HTML entities in any string.

What is a SHA-1 Hash Generator?

SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function published by the US National Security Agency in 1995. It takes any-length input and produces a 160-bit digest, shown as a 40-character hex string. SHA-1 succeeded MD5 as the web's default integrity hash through the 2000s — used in SSL/TLS certificates, SSH key fingerprints, and the original internal identifier for every object in a Git repository.

SHA-1 is broken for collision resistance. In 2017, Google's SHAttered research demonstrated the first practical SHA-1 collision, producing two different PDF files with identical SHA-1 hashes. In 2020 Leurent and Peyrin showed a chosen-prefix attack, which made SHA-1 fully unsafe for digital signatures and certificates. Browsers and certificate authorities have rejected SHA-1-signed certificates since 2017. If you see SHA-1 being used for a security purpose, that system needs to be updated.

Non-security uses still exist in the wild. Git identifies every commit, tree, and blob with a SHA-1 hash; the Git project is migrating to SHA-256 object IDs but most repositories still run on SHA-1. Torrent files use SHA-1 to identify pieces. SSH key fingerprints often use SHA-1 for display (though modern clients prefer SHA-256 fingerprints). Some CDNs and analytics systems use SHA-1 as a fast identifier that's smaller than SHA-256 but still broadly unique for non-adversarial input.

This generator runs SHA-1 via the browser's built-in Web Crypto API (crypto.subtle.digest("SHA-1")), which is a first-class native implementation rather than a JavaScript port. That means near-native speed for large files and complete correctness for any byte content. UTF-8 text is encoded before hashing, so Unicode input round-trips identically to standard Unix command-line tools.

When to pick SHA-1 over MD5: when you're matching an existing system that produces SHA-1 (Git, torrent, an old vendor API), when you need a slightly larger hash space than MD5 (40 hex chars vs 32), or when a specification mandates it. For any new system, use SHA-256 or SHA-512 — they're as fast or faster on modern CPUs and not broken.

How to generate a SHA-1 hash

Paste or type text, or click the file picker for a file.
Pick hex or Base64 output. Hex is the convention; Base64 is shorter.
Copy the hash. Compare against a reference to verify integrity.

Features

Native Web Crypto API — fast on any modern browser.
Text and file hashing, no upload.
Hex (40 chars) or Base64 (27 chars) output.
UTF-8 safe for Unicode text.

Frequently asked questions

Is SHA-1 still safe?: No for cryptography. The SHAttered and later attacks made SHA-1 unsafe for signatures and certificates. For non-security identifiers (Git commits, torrent piece hashes) it still works because random collisions are astronomically unlikely.
Why does Git still use SHA-1?: Git uses SHA-1 to identify objects, where the threat model is accidental collisions not targeted attacks. The project is migrating to SHA-256 object IDs but the transition is slow because every repo and tool needs to be updated.
What's the difference between SHA-1 and MD5?: SHA-1 produces 160 bits (40 hex chars); MD5 produces 128 bits (32 hex chars). SHA-1 is slightly slower. Both are broken for cryptography; prefer SHA-256 for any new system.
Can I reverse a SHA-1 hash?: No. Hash functions are one-way. Services claiming to 'decrypt' SHA-1 are actually looking up the hash in a database of precomputed hashes of common inputs.
Does the hash depend on the input encoding?: Yes. We hash text as UTF-8 bytes, which is the standard. If you hash the same text with a different encoding (UTF-16, CP-1252), you'll get a different hash. Stick to UTF-8 for consistency with command-line tools.