SHA-256

SHA-256 is a cryptographic hash function published by the US National Institute of Standards and Technology (NIST) in 2001 as part of the SHA-2 family (FIPS PUB 180-4). It takes any-length input and produces a 256-bit (32-byte, 64 hex character) fixed-length output.

The function is deterministic (same input always produces same output), one-way (computationally infeasible to derive input from output), and collision-resistant (computationally infeasible to find two different inputs producing the same output). As of 2026 no practical attack on SHA-256 collision resistance has been demonstrated.

Where SHA-256 shows up: TLS certificate signatures, JWT signatures (HS256, RS256, ES256 — the 256 is SHA-256), Bitcoin block hashes (double-applied), HMAC-SHA256 message authentication, Git’s upcoming SHA-256 object format, and basically every modern integrity-verification stack.

Compute SHA-256 hashes via our hash generator, which uses the browser’s Web Crypto API (crypto.subtle.digest) under the hood.

What SHA-256 is not built for — and the password mistake: SHA-256 is fast by design. A modern GPU computes billions of SHA-256 hashes per second, which is excellent for verifying file integrity but a disaster for hashing passwords. An attacker who steals a database of plain SHA-256 password hashes can recover most weak passwords in hours by brute force. Password hashing requires a deliberately slow function with a per-user salt — bcrypt, scrypt, Argon2 — that tunes the cost factor so each hash takes ~100 ms rather than ~100 ns. Storing user passwords as bare SHA256(password) is one of the most consistently exploited mistakes in breach disclosures. If you remember nothing else: SHA-256 for integrity, Argon2id for passwords.

Double-SHA-256, length extension, and the HMAC fix: SHA-256 inherits the Merkle-Damgård construction used by SHA-1 and MD5, which means it is vulnerable to length-extension attacks — given H(secret || message) an attacker can compute H(secret || message || padding || extra) without knowing the secret. This is the reason naive “sign the body with SHA256(key + body)” APIs from the early 2010s have all been replaced by HMAC-SHA256, which wraps the construction with two keyed hashes and is not length-extendable. Bitcoin’s “double-SHA-256” (SHA256(SHA256(x))) is a different mitigation against the same family of attacks and is unrelated to HMAC. Related: JWS, signature, SHA-256 vs MD5. Reference: NIST FIPS 180-4 — Secure Hash Standard.

Worked example

The SHA-256 hash of the empty string is the well-known constant e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. The hash of the single byte "a" is ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb. Change one bit — say to "b" — and the hash becomes 3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d, with no apparent relationship to the previous output. This is the “avalanche” property in action: every input bit affects roughly half of the output bits. To verify a 1 GB download, you compare its SHA-256 (a 64-character hex string the vendor publishes) against your locally computed one. If they match, the file is bit-for-bit identical with probability indistinguishable from certainty (the chance of a collision being 2⁻¹²⁸, less than picking the same atom out of the observable universe at random).

When and why it matters

SHA-256 is the integrity primitive for almost everything you trust on the modern internet. TLS certificate chains are signed with RSA/ECDSA over SHA-256 digests; JWTs use HMAC-SHA256 by default; Docker image digests, Git’s next-gen object IDs, Apple’s code signing, and Bitcoin’s entire block chain all hash through SHA-256. Three failure modes are worth knowing: substituting SHA-1 or MD5 (both broken for collision resistance — SHA-1 collisions were demonstrated in 2017), using SHA-256 directly for passwords instead of Argon2id (see above), and trusting truncated SHA-256 below 128 bits as collision-resistant (the birthday bound on a 96-bit prefix is only 2⁴⁸ — within reach of a determined attacker). Reference: NIST CSRC — Hash Functions.