What is a SHA-1 hash?

SHA-1 is a hash function that maps any input to a fixed 160-bit value, displayed as 40 hexadecimal characters. It is the algorithm Git uses to identify commits, trees, and blobs.

Is SHA-1 still secure?

No, not against a determined attacker. Practical collision attacks against SHA-1 were demonstrated in 2017, so it should not be used for digital signatures or certificates. Use SHA-256 for security.

How is the hash computed in the browser?

The tool uses the built-in Web Crypto API method crypto.subtle.digest with the SHA-1 algorithm, so the calculation runs locally and matches any standard SHA-1 implementation.

Why does the result appear a moment after typing?

Web Crypto digest functions are asynchronous and return a promise. The tool awaits that promise, so there can be a brief moment before the new hash replaces the old one.

Does my text leave the browser?

No. The hashing is performed entirely on your device by the browser's crypto engine. The text you enter is never transmitted to any server.

SHA-1 Hash Generator

What SHA-1 produces

SHA-1 maps any input to a fixed 160-bit value shown as 40 hexadecimal characters. It is best known as the algorithm Git historically used to name commits, trees, and blobs, and it still appears in many legacy checksum and fingerprint formats.

How it works

This tool relies on the browser’s native Web Crypto API rather than a hand-rolled implementation. It encodes your text to UTF-8 bytes and calls:

const buf = await crypto.subtle.digest("SHA-1", bytes);

The resulting ArrayBuffer is then formatted as lowercase hexadecimal. Because crypto.subtle.digest returns a promise, the hash is produced asynchronously and the display updates as soon as the calculation resolves. The output is identical to any conformant SHA-1 implementation.

Security note and example

The SHA-1 of an empty string is da39a3ee5e6b4b0d3255bfef95601890afd80709, a handy way to confirm correctness. Be aware that SHA-1 is no longer collision resistant: a practical collision was published in 2017, so it must not be used for digital signatures, TLS certificates, or any context where an attacker could forge a matching input. For those purposes choose SHA-256 or stronger. SHA-1 remains acceptable for non-adversarial uses such as content addressing and integrity checks against accidental corruption.