browserutils
← All terms

// glossary

What is SHA-256?

SHA-256 is a cryptographic hash function from the SHA-2 family that produces a fixed 256-bit (32-byte) digest from any input, widely used for data integrity verification and digital signatures.

SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function from the SHA-2 family that produces a fixed 256-bit (32-byte) digest from any input. It’s a one-way function — you can’t reverse the hash to recover the original data.

How it works

SHA-256 processes input in 512-bit blocks through 64 rounds of bitwise operations, modular addition, and compression. Regardless of whether the input is a single character or a 10GB file, the output is always a 64-character hexadecimal string.

Input:  "hello"
SHA-256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Changing even one bit of input produces a completely different hash (the avalanche effect). This makes SHA-256 useful for detecting tampering.

Why developers use SHA-256

SHA-256 is the workhorse of modern cryptography. Its applications include:

  • Data integrity: Checksums for file downloads, package managers (npm, pip), and Docker images use SHA-256 to verify nothing was altered in transit.
  • Digital signatures: TLS certificates, code signing, and Git commits rely on SHA-256 to ensure authenticity.
  • Blockchain: Bitcoin’s proof-of-work algorithm is built on double SHA-256 hashing.
  • API authentication: HMAC-SHA256 is a standard method for signing API requests (used by AWS, Stripe, and others).
  • Content addressing: Systems like IPFS and Git use hashes to identify content by its digest rather than its location.

SHA-256 vs. MD5

MD5 is faster but cryptographically broken — collision attacks are practical and well-documented. SHA-256 has no known collision attacks and is recommended by NIST for security-sensitive applications. If you’re choosing between them, use SHA-256.

SHA-256 for passwords?

Don’t hash passwords with raw SHA-256. It’s too fast — attackers can brute-force billions of hashes per second with GPUs. Use a purpose-built password hashing function like bcrypt, scrypt, or Argon2 that includes salting and deliberate slowness.

Generate SHA-256 hashes with the SHA-256 Hash Generator, or compute hashes with multiple algorithms using the Hash Generator. Verify file integrity with the Checksum Calculator.

#Related Tools

SHA-256 Hash Generator
Generate SHA-256 hashes from text input
Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes
Checksum Calculator
Calculate file checksums via drag-and-drop
Hash Identifier
Identify hash algorithms from hash strings

#Related Terms

What is MD5?
MD5 (Message-Digest Algorithm 5) is a hash function that produces a 128-bit (16-byte) digest, commonly used for checksums and data verification but considered cryptographically broken.
What is bcrypt?
bcrypt is a password hashing function based on the Blowfish cipher that incorporates a salt and an adjustable cost factor, making brute-force attacks computationally expensive.
What is a JWT?
A JWT (JSON Web Token) is a compact, URL-safe token format that encodes a JSON payload with a cryptographic signature, used for authentication and secure data exchange between parties.
What is SSL/TLS?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between clients and servers, forming the foundation of HTTPS.

#Learn More

Glossary
What is bcrypt?
Glossary
What is MD5?
Glossary
What is SHA-256?
Guide
How to Generate an MD5 Hash