OCMA Tools

SHA-1 Hash Generator

Generate SHA-1 hash from any text input. Common for file integrity verification.

Free Runs in your browser

How to use

  1. 1 Type or paste the text you want to hash into the input field.
  2. 2 The SHA-1 hash is computed instantly in your browser.
  3. 3 Click Copy to grab the 40-character hex digest.
  4. 4 Note: SHA-1 is deprecated for security — prefer SHA-256 or SHA-512 for new applications.

Key features

  • Computes SHA-1 hash using the Web Crypto API
  • Instant output — updates as you type
  • Produces a 40-character hexadecimal digest
  • Useful for legacy checksums and Git object IDs

What is SHA-1?

SHA-1 (Secure Hash Algorithm 1) was designed by the NSA and published by NIST in 1995. It produces a 160-bit (40-character hex) digest. For over two decades it was a backbone of internet security, used in SSL/TLS certificates, code signing, and version control systems.

In 2017, Google and CWI Amsterdam demonstrated the first practical collision attack on SHA-1 (the SHAttered attack), producing two different PDF files with the same SHA-1 hash. This ended its use in security contexts. SHA-1 is still found in legacy systems and Git's internal object model, though Git is actively migrating to SHA-256.

Where SHA-1 Still Appears

Git commit IDs (legacy)

Git historically identifies commits, trees, and blobs by their SHA-1 hash. Newer repositories can use SHA-256.

Package integrity checks

Some older package registries and CDNs still publish SHA-1 checksums for download verification.

Legacy TLS/SSL (read-only)

Older SSL certificates used SHA-1 signatures. These are now rejected by all modern browsers.

Internal enterprise systems

Legacy internal tools, build pipelines, and ERP integrations may still generate or verify SHA-1 hashes.

TOTP and HOTP (RFC 4226)

Time-based one-time password specs originally specified HMAC-SHA-1 as the default algorithm.

Forensics and file matching

Digital forensics databases (NSRL) use SHA-1 to identify known files, including both clean and malicious ones.

Don't use SHA-1 for new security-sensitive work

If you're hashing passwords, signing code, or issuing certificates, use SHA-256 or SHA-512 instead. SHA-1 is collision-vulnerable and is no longer accepted by modern browsers and CAs for TLS certificates.

Browse all 49 tools