How SHA-256 works
SHA-256 is a cryptographic hash function from the SHA-2 family, standardised by NIST in FIPS 180-4. It takes input of any length and returns a fixed 256-bit digest — always 64 hexadecimal characters, whether you feed it one letter or a gigabyte of data.
Three properties make it useful. It's deterministic: the same input always yields the same digest. It's one-way: you can't work backwards from a hash to its input. And it has a strong avalanche effect: change a single bit and roughly half the output flips. Together these turn a hash into a compact, tamper-evident fingerprint of whatever produced it.
Internally it follows the Merkle–Damgård construction: the message is padded and split into 512-bit blocks, then mixed through 64 compression rounds over eight 32-bit registers. One important caveat: speed is a feature here, which makes raw SHA-256 a poor choice for password storage. For that, reach for a deliberately slow algorithm like bcrypt or Argon2. Everything on this page is computed locally with the browser's Web Crypto API — your input is never uploaded.
Properties & common uses
What the algorithm guarantees about every digest it produces.
Where a fast, collision-resistant fingerprint earns its keep.
SHA-1 vs SHA-256 vs SHA-3
| Algorithm | Digest size | Security status |
|---|---|---|
| MD5 | 128 bits | Broken |
| SHA-1 | 160 bits | Broken |
| SHA-256 | 256 bits | Secure |
| SHA-3 | 256 / 512 bits | Secure |
SHA-256 remains the most widely deployed hash in network protocols and APIs thanks to its broad hardware support and efficiency, while SHA-3 (Keccak) offers a structurally different fallback.
Where developers use it
Verifying a download
Hash a downloaded file and compare it to the checksum the publisher posted to confirm nothing was altered in transit.
Deduplicating content
Use the digest as a content address — identical files hash identically, so storage and caches can skip duplicates.
Signing & receipts
Hash a payload before signing it, so a signature covers a compact fingerprint instead of the entire document.
Frequently asked questions
No. SHA-256 is a one-way function — there's no operation that turns a digest back into its input. So-called "decryptors" are really just lookup tables of previously-hashed values; they can only match common strings that someone already hashed, not invert the algorithm itself.
Not on its own. SHA-256 is built to be fast, which is exactly the wrong property for passwords — it lets an attacker test billions of guesses per second. Use a purpose-built, deliberately slow algorithm like bcrypt, scrypt, or Argon2, always with a per-user salt.
All three are hash functions, but MD5 and SHA-1 are broken — practical collisions exist, so two different inputs can share a digest. SHA-256 (part of the SHA-2 family) has no known collision attack and is the current baseline for integrity and signatures. Treat MD5/SHA-1 as checksums for accidental corruption only, never for security.
SHA-256 uses the Merkle-Damgård iterative construction with a Davies-Meyer compression function. The message is split into 512-bit blocks, padded, and mixed through 64 compression rounds using logical operators and modular addition, making it mathematically irreversible.
That's the avalanche effect. A good hash spreads every input bit across the whole output, so flipping a single character changes roughly half the digest. It's why a hash is a reliable fingerprint — any edit, however small, is obvious.
Not in any practical sense. SHA-256 has a vast key space of 2^256 states, making a complete precomputed rainbow table impossible to build. Only very simple, low-entropy words or short strings can be found in small lookup databases of precalculated hashes.
No. Hashing runs through your browser's built-in Web Crypto API, entirely on your device. The input never leaves the page, so it's safe to hash file contents, secrets, or anything sensitive.