AES Encryption Explained: How It Works and Why It Matters
Jun 23, 2026
Generate the SHA-1 hash value of any string. SHA-1 produces a 160-bit hash value, typically expressed as a 40-character hexadecimal number.
SHA-1 (Secure Hash Algorithm 1) is one of the most widely-used cryptographic hash functions. It was designed by the U.S. National Security Agency (NSA) and published by the NIST in 1995 as part of the Secure Hash Standard (FIPS PUB 180-1). SHA-1 takes an input message of any length and produces a fixed-size 160-bit (20-byte) hash value, which is typically rendered as a 40-character hexadecimal string.
Like other hash functions, SHA-1 is deterministic — the same input always produces the same output — and a single character change in the input produces a drastically different hash. For example, hashing hello yields aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d, and the same input in uppercase produces a completely different value.
SHA-1 processes the input in 512-bit (64-byte) blocks. The message is padded so its length is congruent to 448 modulo 512, and the original length in bits is appended as a 64-bit big-endian integer. The algorithm maintains a 160-bit state split into five 32-bit words (h0 … h4), initialized to fixed constants. Each block goes through 80 rounds of operations split into four phases (each with 20 rounds) that mix, shift, and combine the state with the block data and round-specific constants Kt. After all blocks are processed, the five words are concatenated to form the final 160-bit digest.
Although SHA-1 has been deprecated for security-critical use, it is still embedded in many systems and remains genuinely useful for non-cryptographic purposes:
git log is a SHA-1 of the object's content. Git has been transitioning to SHA-256 in recent versions, but SHA-1 is still the default in most installations..sha1 for every release asset.ETag header, enabling efficient conditional requests.hash('sha1', ...) function and redirects back to this page with the result.Security warning: Do not use SHA-1 to hash passwords or any security-sensitive data. Practical collision attacks have existed since 2017 (the SHAttered attack). Use bcrypt, scrypt, or Argon2id for passwords, and SHA-256 or SHA-3 for digital signatures and message authentication.
Here are some practical scenarios where this SHA-1 generator is useful:
Both produce fixed-size hex digests, but they differ in output size, internal structure, and security margin. MD5 outputs 128 bits (32 hex chars) and processes input in 512-bit blocks with 4 rounds of 16 operations. SHA-1 outputs 160 bits (40 hex chars) and processes input in 512-bit blocks with 80 operations (4 phases of 20). SHA-1 was considered stronger than MD5 when it was published, but both are now broken for collision resistance. For non-cryptographic use, SHA-1 is a reasonable drop-in upgrade from MD5; for security, use SHA-256 or SHA-3.
For non-security purposes (file integrity checks, cache keys, deduplication, Git commit IDs, ETag values), yes — SHA-1 is still fine and widely used. For security purposes (passwords, digital signatures, SSL/TLS certificates, code signing), no. In 2017, Google and CWI Amsterdam demonstrated the first practical SHA-1 collision (the SHAttered attack), producing two different PDF files with the same SHA-1 hash. NIST formally disallowed SHA-1 in digital signatures after 2013, and major browsers reject SHA-1-signed certificates. Use bcrypt, scrypt, or Argon2id for passwords, and SHA-256 or SHA-3 for message authentication.
SHA-1 is a one-way function and is not directly reversible. However, attackers can use rainbow tables (precomputed databases of hashes for common inputs) or brute-force attacks to find an input that matches a given hash. For short or predictable inputs (common passwords, dictionary words), an online SHA-1 lookup can return the original plaintext almost instantly. This is why salted hashes are essential for password storage — the salt ensures that even the same password produces different hashes, defeating rainbow tables.
In February 2017, a team from Google and CWI Amsterdam published the first practical full SHA-1 collision. They produced two different PDF files with identical SHA-1 hashes, and the attack required about 6,500 CPU-years of computation. The attack proved that finding SHA-1 collisions is feasible for well-resourced attackers, which is why SHA-1 is no longer trusted for any application where collision resistance matters. The colliding PDFs are preserved at shattered.io as historical artifacts.
Git uses SHA-1 primarily as a content-addressable identifier — a way to uniquely name and dedupe objects. The cryptographic collision-resistance property is nice to have but not strictly required for Git's core model: an attacker who can craft colliding Git objects still has to convince you to accept them. Git has been transitioning to SHA-256 since version 2.42 (2023) to future-proof against the day when SHA-1 collision attacks become cheaper. Most existing repositories continue to work because Git supports both hashes transparently.
No. The SHA-1 output is always exactly 40 hexadecimal characters (160 bits), regardless of whether your input is one character or one million characters. An empty string still produces a valid SHA-1 hash: da39a3ee5e6b4b0d3255bfef95601890afd80709.
Yes. This tool computes the SHA-1 hash on the server using PHP's hash('sha1', ...) function, so the input is transmitted via HTTPS in the form submission. If you prefer a fully client-side option, you can run SHA-1 in your browser console with libraries like CryptoJS or use the SubtleCrypto API. Note that SubtleCrypto does not include SHA-1 by design (only SHA-256, SHA-384, and SHA-512), so a JS library is required if you need SHA-1 in the browser.
Blog
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026