Back to Home

SHA-1 Hash Generator

Encrypt any text or file to SHA-1, or try to reverse a known SHA-1 hash with the built-in dictionary. 100% client-side.

About SHA-1

SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function published by the NSA in 1995. It produces a 160-bit (40-character hexadecimal) digest. SHA-1 is the algorithm Git uses for commit identifiers, and it remains widely deployed in legacy systems. In 2017, researchers demonstrated the first practical SHA-1 collision (the SHAttered attack), so SHA-1 is considered broken for security purposes. It is still acceptable for checksums, deduplication, and non-cryptographic fingerprinting, but for new security-sensitive code use SHA-256 or SHA-3.

How to Use

  1. Encrypt: switch to the Text Input or File Input tab, type / paste text or drop a file, then click Generate SHA-1.
  2. Reverse lookup: switch to the Decrypt (Dictionary) tab, paste the target SHA-1 hash, and start the dictionary attack.
  3. Copy: click the copy icon next to the hash to copy it to your clipboard.

FAQ

Can SHA-1 be decrypted?
Like all cryptographic hashes, SHA-1 cannot be reversed mathematically. The dictionary attack here works by hashing candidate strings and comparing to the target. The built-in top-100 common-password dictionary can crack weak passwords quickly. Paste a larger custom wordlist for broader coverage.
Is SHA-1 still secure?
No — SHA-1 is broken for collision resistance since 2017. Use it only for non-security purposes (checksums, Git object IDs, legacy compatibility). For modern security, use SHA-256, SHA-3, or BLAKE2.
Why does Git use SHA-1?
Git uses SHA-1 to identify commits, trees, and blobs. SHA-1's collision weakness doesn't directly compromise Git because Git objects include type and length metadata that make collision attacks impractical. Git is also migrating to SHA-256 in newer versions.
What is a 40-character SHA-1 hash?
SHA-1 produces a 160-bit digest, rendered as 40 hex characters. The SHA-1 of "hello" is aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d.
Is my data sent to a server?
No. SHA-1 computation and dictionary attack run entirely in your browser using the Web Crypto API. Your text, files, hashes, and wordlist never leave your device.