SHA-1 produces a 160-bit (40 hex character) hash. While SHA-1 is deprecated for security use due to known vulnerabilities, it is still commonly used for checksums and version control (Git). This tool uses the browser's Web Crypto API — your data never leaves your device.
SHA-1 produces a 160-bit (40 hex character) digest using the Merkle-Damgård construction. It was the workhorse hash of the late 1990s and 2000s, but practical collision attacks (Google's SHAttered in 2017) mean you should not use it for digital signatures or anything an attacker could influence.
It remains useful for non-adversarial integrity checks: file fingerprints, content-addressed storage like git objects, and quick deduplication. This calculator uses the browser's Web Crypto API directly, so the digest you see is the same one generated by openssl, sha1sum, or any compliant library.
For password storage or digital signatures: no. SHOWN collision attacks (Google's SHAttered, 2017) made it unsafe for security-critical use. It's still fine for non-adversarial integrity checks like git object IDs.
Git uses SHA-1 for content addressing, not for security — collisions there cause file mix-ups, not security breaches. The git project is migrating to SHA-256, and recent versions accept either.
No — SHA-1 is deterministic. The same input bytes always produce the same 160-bit digest. If you get different outputs from different tools for the "same" text, one is using a different character encoding (UTF-8 vs UTF-16, with or without BOM).
As UTF-8. The string is fed through TextEncoder before being passed to crypto.subtle.digest, so "café" is hashed as the 5 bytes 63 61 66 c3 a9, not as 4 UTF-16 code units.
Explore the full suite of Hash & Crypto tools and 290+ other free utilities at Chunky Munster.