Byte size and hashs?

Question

I was using a hash generator, and when you enter SHA1 into the lookup, it spits out 40 characters under SHA1.

So when I looked it up on the internet to see the byte size, it says 20 bytes, even though it's 40 characters?

I thought byte size was determined by characters? 1 character = one byte or am I wrong? Unless it's determined by bit size?

I looked it up to clarify if my assuming was correct on it being 40 bytes, but it's telling me it's 20 bytes, not 40.

Answer 1

Officially the outcome of the SHA-1 hash is 160 bits, and on modern computer those are represented by 20 bytes.

As the FIPS 180-1 specification indicates:

For a message of length < 2^64 bits, the SHA-1 produces a 160-bit condensed representation of the message called a message digest.

The hexadecimals are just a textual representation of those 20 bytes. Those same bytes could also be e.g. base 64 encoded but sha1sum and other such utilities usually display (lowercase) hexadecimals, as the hash is limited in size by definition.

Note that SHA-1 is not considered secure anymore and the FIPS document is now withdrawn. Use SHA-2, SHA-3 or - in many cases - a good password hash such as Argon2 instead.