How to Hash a File in One Minute

How to Hash a File in One Minute

1. Open Windows Command Line. In your Start bar, type CMD and press Enter to open Windows Command Line.

2. Decide which hashing algorithm you want to use. Different hash functions (i.e., hashing algorithms) suit different needs and purposes. For example, you’ll want to use a fast hashing algorithm for digital signatures but a slow one for secure password storage. (Note: it’s recommended that you store your password hash values and not the plaintext passwords themselves.)

3. Hash a file using the certutil -hashfile command. Next, you’ll want to use the certutil -hashfile command along with the file path that leads to where you’re storing the file you want to hash. You’ll also want to specify the hash function (hashing algorithm) you want to use to hash your file. Some examples include SHA256, MD5 and SHA1. (Both MD5 and SHA1 have been deprecated, so they’re not typically recommended but you’ll still sometimes find them being used.)

The resulting command for hashing a file using SHA-256 will look something like this:

certutil -hashfile App_Web_stdfeeonlinev3.aspx.f0db4b1d.dll SHA256




A screenshot of how to enter the certutil command in Windows Command Line with the resulting SHA-256 hash value.




That’s it! You’ve hashed your file quickly and easily. In this case, the resulting SHA-256 hash value (i.e., digest) for the file in this example is the following:

Why Hashing Matters to File and Software Security

Hashing is an essential tool when it comes to ensuring the integrity of your software and protecting your organization’s brand and reputation. Why? Because, basically, hashing serves as a form of checksum.

When people download your software, for example, you can provide the file’s or executable’s hash value for them to use to check themselves. This helps to establish trust and provides your users with a way to verify that your software hasn’t been altered. If the hash values don’t match, then users will know that the file or software in question may have been modified and, therefore, it can’t be trusted.

But, sometimes, hashing isn’t enough. Remember the issue we mentioned earlier? Imagine that someone hacks your website and uploads their own malicious version of your software. They replace the hash values on your site with the ones for their dangerous files. If your users use those hash digests to confirm the files are authentic, they’ll just confirm that the hash values on the site match the ones for the file.

However, there’s no digital identity for them to verify. This is where digital signatures and digital certificates come into play.