Wednesday, 5 February 2014

File Hashes / Checksums - Easy way to Check and Create them

When you visit a website and download a file, they’ll often offer you the chance to download a Hash or Checksum for the file. This is a large, unique number that is created using one of various algorithms, that outputs a unique sequence of letters and numbers for whatever file has been hashed.


The idea of this is you can then calculate the hash yourself to confirm if what you’ve downloaded is the same as what was uploaded by the file owner. The reason a site may do this is there’s a potential risk that uploads can end up hacked. That file you downloaded from another site, helpfully storing the file alongside the main site, may choose to modify the download. Who knows what nefarious material they added to hack your system after you install or use the file.

To help avoid that risk, you can check the Hash generated for the file. An easy to use tool for this is Quick Hash, a GUI based Linux and Windows file hashing tool. This can be downloaded from at:

Steps for checking a Hash
1) Copy the Hash provided on the download site for the file you’re interested in
2) Generate a Hash for the file you just downloaded
3) Compare them to ensure they’re the same

Let’s go through each step on Windows, the process with Quick Hash is just as easy on Linux.

After you’ve downloaded Quick Hash, open it and navigate to the ‘Hash File’ tab.

Click on “Select file” and open the file you’ve downloaded, Quick Hash generates the file Hash straight away.

In the above I used hashTest.txt and it generated the following SHA1 Hash:

Now copy the Hash provided by the download site and ensure it matches. For hashTest.txt you can grab the file from here: Generate the Hash and compare with the above.

That’s it!

You now have a simple way to verify your downloads and provide Hash keys for your own files.

Points to note
There are a few things to be mindful of when working with file Hashes.

Fake Hashes for Hacked files

A download site could of course generate a Hash for a file themselves. If you’re concerned, try downloading the file from different sources or ideally from the original source. You can then generate hashes on all copies of the download and ensure they are they same.

Different types of Hash

As you saw in the Quick Hash software there are different types of Hash: MD5, SHA1, SHA256 and SHA512. These represent different algorithms for hashing and you just need to check your download site for the Hash type they've used so the one you generate matches.

Any change changes the Hash

If you edit the file you create a Hash for, even by a single character, the Hash will be different. Just be aware in case like me you’re a tweaker! If you change the file, update the Hash.