What is HMAC and when should I use it?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to verify both data integrity and authenticity. Use HMAC when you need to verify that a message was not tampered with and came from someone who knows the shared secret key.

Why use Bcrypt for password hashing instead of SHA-256?

Bcrypt is specifically designed for password hashing. Unlike SHA-256 which is designed to be fast, Bcrypt is intentionally slow and includes an adjustable cost factor. This makes brute-force and rainbow table attacks much harder. Always use Bcrypt, Argon2, or PBKDF2 for storing passwords — never plain SHA-256 or MD5.

← Back to all tools

Hash Generator

Generate cryptographic hashes, HMAC signatures, and Bcrypt password hashes.

Hash Generator

Algorithm

Input Text *

Hash Output

Hash will appear here — updates as you type…

🛡️

HMAC Generator

ℹ

HMAC (Hash-based Message Authentication Code) verifies both data integrity and authenticity using a shared secret key.

Algorithm

Message *

Secret Key *

HMAC Output

HMAC signature will appear here…

🔑

Bcrypt Password Hashing

ℹ

Bcrypt is designed for hashing passwords. Higher rounds = slower = more secure. Default of 10 is a good balance for most applications.

Password / Text *

Work Factor (rounds)

Bcrypt Hash (for verification)

Output

Bcrypt hash or verification result will appear here…

❓

Frequently Asked Questions

What is the difference between SHA-256 and MD5?

SHA-256 produces a 256-bit hash and is cryptographically secure for modern use. MD5 produces a 128-bit hash and is deprecated for security purposes due to known collision vulnerabilities — use SHA-256 or SHA-3 instead.

Can I reverse a hash?

No. Hash functions are one-way by design. It is computationally infeasible to recover the original input from a hash output. This is what makes hashing suitable for password storage and data integrity checks.

What is HMAC?

HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to produce an authentication code. It verifies both the integrity and authenticity of a message, ensuring it was not altered and came from the expected sender.

Is SHA-1 still safe to use?

SHA-1 is no longer considered cryptographically secure — collision attacks have been demonstrated. It should not be used for security-sensitive applications like digital signatures or certificate signing. Use SHA-256 or SHA-3 instead. SHA-1 is still acceptable for non-security uses like checksums.

How do I verify a file's integrity using a hash?

Hash the file and compare the output to the expected hash provided by the file source. If the hashes match, the file is intact and unmodified. This is commonly used to verify downloaded software and backups.

What is the Bcrypt cost factor?

The cost factor (also called work factor or rounds) controls how slow the hashing operation is. A higher cost factor means more computational work, making brute-force attacks harder. Cost 10 is the recommended default. Increase it as hardware gets faster.