Current version:

Older versions:

Contributed Code

More Hash Scripts

Future Version 3.0

A 3.0 version is planned (no time frame as yet) that will break backward-compatibility. Some of the desired features for this are:

  • JavaScript object interface. This is by far the most frequently requested change.
  • Removing the global variables. The current arrangement can make multiple uses of the script on a single page interfere with each other.
  • Improved performance. safe_add is slow, and only needed for very old browsers. Also, I believe Firefox allows JavaScript to access a cryptographic library, which would likely be much faster.
  • Streaming support. Currently, you have to put everything you want to hash into a single string. This would allow you to add data to a hash, bit by bit.
  • JavaScript password strength checker. It may be more appropriate to release this as a separate script.
  • Currently, several chunks of code have been copied and pasted between the scripts. This is general considered bad programming practice. We need to find some way to avoid this, while still providing users with a single, self-contained file for each hash.

Some potential approaches have been submitted for the object interface, and further suggestions are welcome:

Change History

2.2 (30 June 2009)
  • More algorithms - RIPEMD-160, SHA-256 and SHA-512 are now supported, based on contributed code. Support for MD4 has been dropped.
  • Compressed versions of the scripts are available, processed by YUI Compressor. sha1-min.js is less than 3KB.
  • Improved Unicode support. By default, the input string is now encoded as utf-8, before being hashed, which is what most people want. It is still possible to use utf-16, but the chrsz configuration variable is gone.
  • Arbitrary output encoding. You can specify a string of characters to use for output encoding; the string length does not need to be a power of two. This is helpful for password makers, which want to use as much unpredictability as possible, in a short password.
  • Bug fixes:
    • The scripts now work correctly if immediate code is not executed, so they support some unusual platforms, including GreaseMonkey.
    • rstr2binl now preinitialises the array with zeros, to work around bugs in some browsers.
    • md5_vm_test now works if hex_case is set to 1
2.1 (15 Dec 2002)
  • Binary string output
  • Improved browser compatibility. Version 2.0 had a number of problems and should not be used.
  • Backward-compatibility with version 1 is removed.
2.0 (2 Oct 2002)
  • Base-64 output
  • Unicode input. Note: this uses utf-16 encoding, which is rarely what is desired. Version 2.2 has improved Unicode support, with utf-8 encoding.
  • HMAC - keyed hashing
  • New function interface, to support the new features.
1.1 (15 Jun 2001)
  • Renamed the add function to safe_add because add is a reserved word in ActionScript. Reported by Amanuel Workneh.
  • All variables are now prefixed with var to make them local. Suggested by Richard Mitchell and Ian Richardson.
  • The code now works in IE for Macintosh, thanks to Greg Holt and Andrew Kepert.
  • The code now returns a lower-case hex string, like most MD5 functions. Thanks to Brian Lozier for noticing this.
  • Code changed to use charCodeAt function instead of the dodgy sAscii variable. Thanks to Erik Johnson.
  • Calls to Math.pow removed, now I've discovered the >>> operator.
  • The code now works in Opera, because Peter Valach fixed a precedence problem.
  • Original version
© 1998 - 2012 Paul Johnston, distributed under the BSD License   Updated:09 Dec 2012