MD5 Hash Generator
Online MD5 encryption, supports 16-bit and 32-bit output, uppercase and lowercase conversion
Format Settings
What is MD5 Encryption?
MD5 (Message Digest Algorithm 5) is a widely used cryptographic hash function designed by American cryptographer Ronald Rivest in 1991. MD5 can map data of any length to a fixed 128-bit (16-byte) hash value, typically represented as 32 hexadecimal digits. MD5 was widely used for data integrity verification, password storage, and digital signatures. However, in 2004, Chinese cryptographer Wang Xiaoyun and her team discovered collision vulnerabilities in MD5, allowing attackers to construct two different pieces of data with the same MD5 value. Therefore, MD5 is no longer suitable for security-sensitive scenarios. MD5 output formats come in two types: the standard 32-bit (complete hash value) and the truncated 16-bit (taking the middle 16 characters from the 32-bit value). This tool supports both output formats with uppercase or lowercase display options.
How to Use
How to use
- Enter the text to encrypt in the input field
- Select output format: uppercase 32-bit, lowercase 32-bit, uppercase 16-bit, or lowercase 16-bit
- MD5 value will be automatically calculated and displayed
- Click the 'Copy' button to copy the result
Output Format Description
- Use the 32-character output when you need the complete MD5 digest for checksums, cache keys, or legacy API fields.
- Use the 16-character output only when a legacy system explicitly expects the middle 16 characters of the full digest.
Case Description
- Uppercase and lowercase MD5 values contain the same hexadecimal bytes; the difference is only display format.
- When comparing MD5 values, match the exact case required by the target system to avoid false mismatches.
Use Cases
Technical Principle
MD5 (Message-Digest Algorithm 5) was designed by Ronald Rivest at MIT in 1991 and published as RFC 1321, replacing the broken MD4. It was the workhorse hash of the 1990s and 2000s: file integrity checks, password storage (poorly, with no salt), digital signatures, malware fingerprinting, and the default digest in tools as diverse as `md5sum`, MySQL's `MD5()`, Git's older object store, and `openssl dgst -md5`. The output is 128 bits (16 bytes), almost always displayed as 32 lowercase hex characters. The design follows Merkle–Damgård: pad the message to a multiple of 512 bits, append a 64-bit little-endian length, then iterate a compression function over each 512-bit block. The 128-bit state is exposed in the four 32-bit registers A, B, C, D, initialised to fixed constants (0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476 — chosen to be 'nothing-up-my-sleeve' values: they are the square roots of 2, 3, 5, 10 in little-endian). Each 512-bit block is split into sixteen 32-bit words M[0..15] and run through 4 rounds of 16 steps (64 steps total). The round functions are F = (X AND Y) OR (NOT X AND Z), G = (X AND Z) OR (Y AND NOT Z), H = X XOR Y XOR Z, I = Y XOR (X OR NOT Z); each step combines one round function, a message word, a round constant T[i] = floor(2^32 · |sin(i+1)|), and a left rotation by a step-specific amount, then adds the result back to the state. The 4 rounds' design intent: round 1 is fast and nonlinear, round 2 is parallelisable, round 3 mixes more aggressively, round 4 finishes with strong diffusion. The final state is the MD5 of the entire message; this is what makes MD5 a one-way function in the pre-quantum sense. The crash: collision resistance is broken, and that is the only thing that matters for cryptographic use. Wang et al. published a full collision attack in 2004 (CFRG attacks reduced collision search to a few hours on a PC). In 2008, researchers used MD5 collisions to forge a valid CA certificate (the 'chosen-prefix collision' attack by Stevens et al.), and in 2012 the Flame malware abused a still-undisclosed MD5 collision to forge a Microsoft code-signing certificate. The 2004 paper reduced the collision search space from 2^64 to about 2^24, so any attacker with a few hours of compute can produce two messages with the same MD5. After Flame, Microsoft explicitly banned MD5 in Authenticode; browsers revoked MD5-signed TLS certificates in 2014-2017; and the IETF has long deprecated MD5 in TLS, SSH, and IPsec. Performance numbers from a modern x86-64 laptop: MD5 hashes at 400-700 MB/s per core (memory-bandwidth bound on large inputs), SHA-256 at 200-300 MB/s, SHA-512 faster on 64-bit CPUs because of 64-bit word operations. For password hashing, MD5 is unsuitable regardless of throughput — bcrypt/scrypt/Argon2id are intentionally tunable to defeat GPU acceleration. On a single RTX 4090, Hashcat benchmarks MD5 at roughly 60 GH/s (gigahashes per second) — 7-8x faster than SHA-256 on the same GPU. That gap is the entire reason MD5 is dangerous: GPU grinding through precomputed tables in hours, not years. Web Crypto's `crypto.subtle.digest('MD5', bytes)` runs at near-disk speed in Chrome, Edge, and Firefox 102+; older browsers fall back to a pure-JS implementation (SparkMD5 or the page's own) at 50-150 MB/s. Test vectors from RFC 1321: empty string hashes to d41d8cd98f00b204e9800998ecf8427e, 'a' to 0cc175b9c0f1b6a831c399e269772661, 'abc' to 900150983cd24fb0d6963f7d28e17f72. If your output does not match these, the bug is almost always an encoding issue (passing a JS string to a JS MD5 implementation instead of UTF-8 bytes) rather than the algorithm itself.
- Merkle–Damgård construction makes MD5 vulnerable to length-extension: given H(secret || msg), an attacker can compute H(secret || msg || padding || extra) without knowing secret. This is why MD5(secret || message) is not a safe MAC — use HMAC-MD5 (RFC 2104) or HMAC-SHA256 instead, which use a different structure (a two-key nested hash) that resists this attack.
- Test vectors (RFC 1321): the empty string hashes to d41d8cd98f00b204e9800998ecf8427e, 'a' to 0cc175b9c0f1b6a831c399e269772661, 'abc' to 900150983cd24fb0d6963f7d28e17f72. If your implementation does not produce these, the bug is almost always an encoding issue (passing a JavaScript string to a JS MD5 implementation instead of UTF-8 bytes via TextEncoder), not the algorithm itself.
- Hash rate: a single core of a modern x86-64 CPU does about 400-700 MB/s of MD5, dominated by memory bandwidth on large inputs. SHA-256 is roughly 30% slower at 200-300 MB/s, and SHA-512 is faster on 64-bit CPUs because it operates on 64-bit words. For password hashing specifically, the right choice is bcrypt (cost factor 12) / scrypt / Argon2id, which are intentionally slow and tunable to defeat GPU acceleration.
- The '4 round functions' F, G, H, I were deliberately named to read as a sentence ('FiGiHI' / 'figi hi'), a Rivest signature. Each is bitwise-only and uses different mixing structure so the algorithm does not collapse to a linear or affine system under cryptanalysis. The S-box concept of DES / AES does not exist in MD5; security comes from message-word expansion and the rotation constants, not from substitution tables.
- Hashcat benchmark on a single RTX 4090: roughly 60 GH/s for MD5 (against pure-hash) and 30 GH/s for MD5 with salt. SHA-256 on the same GPU is 8 GH/s. The 7-8x gap is why attackers love MD5: the GPU can grind through precomputed tables in hours, not years. Use SHA-256, bcrypt, or Argon2id for anything that needs to resist offline attack.
- The 'double MD5' (MD5(MD5(x))) is sometimes seen in old PHP and MySQL code, often with a salt. It does not help against collision attacks (a collision of MD5 is a collision of MD5(MD5()) with O(1) extra work) and only slightly slows preimage search (a factor of 2). Modern password hashing (Argon2id from RFC 9106, scrypt from RFC 7914, bcrypt with cost ≥ 12) is the only correct answer for password storage; if you see MD5 in a modern password column, it is a bug.
- Migrating away from MD5: if you maintain a system that currently uses MD5, the right migration is to dual-write (compute both MD5 and SHA-256 on read, prefer SHA-256 in new code paths) for a deprecation window, then drop MD5 once nothing depends on it. For legacy protocols that hard-require MD5 (NTLM, RADIUS challenge-response, some Kerberos modes), MD5 is not going away soon — Microsoft patched NTLM to use AES in 2010, but the old version is still on by default for compatibility, and you should disable NTLMv1 entirely if you have legacy Windows systems.
- The page's implementation: when Web Crypto is available (Chrome, Edge, Firefox 102+), `crypto.subtle.digest('MD5', utf8Bytes)` is used, which runs in native code at near-disk speed. When it is not, a pure-JS implementation (SparkMD5 0.7 or the page's own) is used, which runs at 50-150 MB/s. Both produce identical output, so test vectors pass for both backends. The encoding step is `new TextEncoder().encode(str)`, which always gives UTF-8 bytes; do not pass a JavaScript string directly to a JS-only MD5 implementation or you will get a wrong hash on any non-ASCII input.
Examples
Empty String and Short Text
Empty string -> d41d8cd98f00b204e9800998ecf8427e
hello -> 5d41402abc4b2a76b9719d911017c592
RFC: RFC 1321 section A.1 defines these test vectorsCase Sensitivity
hello world -> 5eb63bbbe01eeed093cb22bb8f5acdc3
Hello -> 8b1a9953c4611296a827abf8c47804d7
HELLO -> eb61eead90e3b899c6bcbe27ac581660
Note: changing a single character completely changes the hash (avalanche effect)Numbers and Punctuation
123456 -> e10adc3949ba59abbe56e057f20f883e
Hello, World! -> 65a8e27d8879283831b664bd8b7f0ad4
file.txt -> 3d8e577bddb17db339eae0b3d9bcf180
Note: any change in punctuation or whitespace produces a completely different digestWhy MD5 is not recommended for security
Collision attack: In 2004, researchers found ways to create two different
messages with the same MD5 hash. This breaks digital signatures and
certificate validation.
For security, use SHA-256 or SHA-3:
MD5: 128 bits, broken collision resistance (feasible attack)
SHA-256: 256 bits, no practical collisions found
SHA-512: 512 bits, even stronger margin
NIST: NIST has deprecated MD5 for cryptographic use since 2005
Use: MD5 is still safe for file integrity checks, deduplication, and cache keysFAQ
What is MD5?
MD5 (Message Digest 5, RFC 1321) is a 128-bit hash function published by Ron Rivest in 1991. It always returns 32 hex characters regardless of input length, and the output changes completely if even one input bit changes. It is fast - hundreds of MB/s on a modern CPU.
Is MD5 secure?
Not for security. Collision attacks against MD5 have been practical since 2004, and chosen-prefix collisions since 2007. Do not use MD5 for digital signatures, certificate hashes, password storage, or any tamper-detection where an attacker can choose either input.
What can I still use MD5 for?
Detecting accidental corruption: download checksums, simple deduplication of trusted files, and quick ETag-style fingerprints. Many vendors continue to publish MD5 for backwards compatibility, often alongside SHA-256.
Is the calculation done locally?
Yes. MD5 of pasted text is computed in your browser. Nothing is uploaded or logged. You can confirm by checking the Network tab while you hash.
Why does the same string produce a different MD5 elsewhere?
Almost always because of a hidden character difference: a UTF-8 BOM, a trailing newline, CRLF instead of LF, or one tool encoding as UTF-8 while another encodes as UTF-16. The MD5 algorithm itself is fully deterministic across implementations.
Are uppercase and lowercase MD5 the same?
Yes. The 128 bits of output are identical; case is purely a display convention. Verifiers should compare case-insensitively.
How is MD5 different from MD5(salt + password)?
Plain MD5 of a password is trivially crackable with rainbow tables. Adding a salt blocks pre-computed tables but MD5 is still far too fast for password hashing. Use bcrypt/scrypt/Argon2 for passwords; MD5 (with or without salt) is the wrong tool for that job.