String Functions
String to MD5 Hash Generator
Create an MD5 hash of any string. Useful for cache busting, content checksums, and quick fingerprints.
About MD5 hashing
This tool computes the MD5 hash of any text you enter — a 128-bit digest, always rendered as 32 lowercase hexadecimal characters no matter how long or short the input is. MD5 is defined in RFC 1321: feed it a byte string of any length and it deterministically produces the same fixed-size digest every time, with even a one-character change producing a completely different output. The output format matches PHP's md5() function exactly, so you can use it to sanity-check a hash computed on the backend without spinning up a script.
Everything runs client-side: your input is encoded to UTF-8 bytes with TextEncoder, then hashed by a from-scratch JavaScript implementation of the RFC 1321 compression algorithm — four rounds of 16 steps over four 32-bit state words — and nothing is sent to a server. That's a deliberate choice, not a shortcut: the browser's native Web Crypto API (crypto.subtle.digest) supports SHA-1/256/384/512 but deliberately not MD5, since MD5 is no longer considered cryptographically secure. To keep MD5 available for the same checksum and legacy-compatibility uses the original tool covered, the algorithm had to be hand-implemented rather than delegated to the browser.
MD5 is common for cache-busting file names, quick content checksums that confirm two blobs of text are byte-identical, deduplication keys, and non-secret lookup fingerprints — cases where speed matters more than resistance to a determined attacker. It is a poor choice for anything security-sensitive: practical collision attacks, where two different inputs are crafted to produce the same hash, have been demonstrated since 2004, and MD5 must never be used to store passwords. For integrity checks against an untrusted source, or for password storage, use SHA-256 or a dedicated password-hashing function instead.
Examples
Input: The quick brown fox jumps over the lazy dog
Output: 9e107d9d372bb6826bd81d3542a419d6This is the classic MD5 test string used across cryptography references — a quick way to confirm any MD5 implementation is working correctly.
Input: (empty string)
Output: d41d8cd98f00b204e9800998ecf8427e
Input: W3Docs
Output: d72212c1d3c6e939ee94228a55f0c2f2MD5 always outputs 128 bits (32 hex characters), whether the input is empty or many paragraphs long — that fixed size is what makes it usable as a checksum.
echo md5("The quick brown fox jumps over the lazy dog");
// 9e107d9d372bb6826bd81d3542a419d6PHP's md5() returns the same lowercase hex format as this tool, so you can cross-check a hash from a script without running it.
Frequently asked questions
Can an MD5 hash be reversed or decrypted?
No — MD5 is a one-way function, so there's no algorithm that recovers the original input from a hash. Tools that claim to decrypt MD5 are actually lookup services: they hash a huge dictionary of common strings in advance and match your hash against that list, so they only work if the original input was predictable and already in the dictionary.
Is MD5 safe to use for hashing passwords?
No. MD5 is fast to compute, which makes brute-forcing weak passwords cheap, and it has no built-in salting, so identical passwords always produce identical hashes. Use a purpose-built password-hashing function like bcrypt, scrypt, or Argon2 instead — they're deliberately slow and salted.
Why doesn't my MD5 hash match the one from another tool or language?
MD5 hashes raw bytes, not text in the abstract, so a trailing newline, extra whitespace, or a different character encoding changes the input bytes and produces a completely different digest even when the visible text looks identical. This tool encodes your input as UTF-8 before hashing, matching PHP's md5() default, so make sure whatever you're comparing against is hashing the exact same bytes.
What's the difference between MD5 and SHA-256?
Both take input of any length and produce a fixed-size digest, but MD5 outputs 128 bits and SHA-256 outputs 256 bits. MD5's collision resistance is broken — two different inputs can be deliberately crafted to produce the same hash — while SHA-256 remains cryptographically strong, so SHA-256 is the safer default whenever the hash needs to resist tampering.
Does this tool send my text to a server?
No. The hash is computed entirely in your browser with JavaScript — your input is never transmitted, logged, or stored anywhere.