What is SHA-256? A practical guide to SHA-256 hashing

When a software update verifies itself before installing, when a Bitcoin block is added to the chain, or when secure websites check data integrity, the Secure Hash Algorithm 256-bit (SHA-256) is often working in the background. It’s one of the most widely used cryptographic hash functions in modern computing and a core building block in systems that verify data, authenticate information, and support secure internet connections.

This guide explains what SHA-256 is, how it works, where it’s used, how it compares with older and newer hashing algorithms, and what it can and can’t protect against.

What is SHA-256?

SHA-256 is a cryptographic hash function. It takes an input, whether that's a password, a file, or a block of transactions, and produces a fixed-length output called a hash. This hash acts like a digital fingerprint. No matter how large or small the input is, the output always stays the same size.

SHA-256 is part of the SHA-2 family, which includes hash functions with different output sizes, such as SHA-224, SHA-384, and SHA-512. The “2” in SHA-2 refers to the second version of SHA, while the "256" in SHA-256 refers to the size of the hash in bits.

Hashes are usually written in hexadecimal, where a SHA-256 hash appears as a 64-character string. Since the same input produces the same hash every time, two systems can independently hash the same file and verify that the hashes match. If even one character changes, the hash should change too.

Why SHA-256 matters in cybersecurity

Modern cybersecurity systems need a reliable way to check whether data is authentic and unchanged. SHA-256 helps make that possible by turning data into a hash that can be compared later.

A web server may use hashes as part of the process that proves its security certificate came from a trusted issuer. A package manager can compare hashes to detect whether a downloaded file was modified after publication. A blockchain can use hashes to make changes to past records visible across the rest of the chain.

In each case, the basic idea is the same: A system hashes data when it’s created, signed, or published, then hashes it again later and compares the results. If the hashes differ, the data has changed somewhere along the way.

Is SHA-256 encryption?

Encryption and hashing are designed for different purposes. Encryption is used for data that needs to be read again later. It uses a key to transform readable data into an unreadable form, and the correct key can convert it back later.

SHA-256 doesn't use a key and is designed to work in one direction. A system can quickly create a hash from an input, but it can’t use the hash to reveal the original file, password, or message.

Software distributors often publish hashes alongside downloads so users can verify that the files they received match the originals. Because the hash is published separately, anyone can compare it against the downloaded file to check whether the file has changed or been tampered with.

How does SHA-256 work?

SHA-256 turns an input into a fixed-length hash through a step-by-step compression process. The algorithm is designed so that the final hash reflects the entire input, which means even a small change, such as changing one letter in a file, should produce a completely different result.

SHA-256 works on data in 512-bit chunks. Longer inputs are split into multiple chunks and processed one at a time.

Each chunk updates an internal value that gets carried into the next chunk. Because of this chaining, earlier parts of the input continue to affect the final hash as later chunks are added.

Pre-processing and message padding

Before SHA-256 processes the input, it prepares the data through a step called padding. This adds extra bits to the end of the input and records the input’s original length. The padded data can then be divided into 512-bit chunks, giving SHA-256 the right format to process the full input without losing track of where the original data ended.

Hash values and round constants

SHA-256 begins with a fixed set of public starting values, then updates them as each 512-bit chunk is processed. These changing values become the basis of the final hash.

The algorithm also uses fixed numbers during each processing round. The numbers are part of the public SHA-256 design, so anyone can check how the algorithm works and reproduce the same result from the same input.

Compression rounds and final hash output

Each 512-bit chunk passes through 64 rounds of processing. During these rounds, SHA-256 repeatedly mixes the chunk’s data with the current internal value using mathematical and bit-level operations.

As the rounds continue, small differences in the input spread through the internal value. By the time a chunk has been processed, even a one-bit change should affect much of the state.

After the last chunk has been processed, the final internal value becomes the 256-bit hash.

Where is SHA-256 used?

SHA-256 appears in a wide range of systems, from cryptocurrency networks and Transport Layer Security (TLS) certificates to software distribution systems and package managers.

Blockchain technology

Bitcoin relies heavily on SHA-256. Miners, which are the computers competing to add new blocks to the blockchain, repeatedly hash variations of a block until they find a hash that falls below a target value set by the network. This is how the network picks who adds the next block. The winning miner adds the block and earns a reward.

Bitcoin uses SHA-256 twice during this process, a construction known as double SHA-256. It also uses hashes to link blocks together. Each block contains the hash of the previous block, so changing an earlier block would also change the hashes of the blocks that follow.

That makes past records difficult to rewrite. An attacker would need to recompute every affected block from the point of change onward while also outpacing the rest of the network as it continues adding new blocks.

SHA-256, however, isn’t the only hash function used in blockchain systems. Ethereum, for example, uses Keccak-256, which is built on a different design from the SHA-2 family. But Bitcoin’s use of SHA-256 remains the most widely known example.

Digital signatures

A digital signature helps prove that a message came from someone with the right private key and hasn’t been altered.

Signature algorithms, including the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA), don’t usually sign the full original message but instead use a hash of the message. SHA-256 is one of the common hash functions used for this step.

In simple terms, the sender hashes the message and uses their private key to create a signature based on that hash. The recipient then hashes the message again and uses the sender’s public key to verify the signature. If verification succeeds, it shows that the message matches the one that was signed and that the signature was created with the corresponding private key.

File integrity checks

Software distributors often publish a SHA-256 hash next to a download link. After downloading the file, you can run SHA-256 on it locally and check whether the result matches the published hash. If the hashes match, the file is identical to the one the distributor uploaded. If they don't, the file is either corrupted or has been altered.

This check only helps if the hash itself is trustworthy. An attacker who can swap out the file can often swap the hash beside it too, so the hash is most useful when it comes from a source you already trust, separate from the download.

The same approach is also used by software package managers, app stores, container platforms like Docker, and operating system update systems.

SHA-2, with SHA-256 as its most common version, has largely replaced Message Digest 5 (MD5) and SHA-1 for this purpose because practical collision attacks against those older functions made them unsuitable for integrity verification.

SSL and TLS certificates

Every HTTPS connection depends on a certificate that proves a website is what it claims to be. Modern websites use TLS, the encryption protocol that replaced the older Secure Sockets Layer (SSL).

The certificate is signed by a certificate authority (a trusted organization that vouches for which domain belongs to whom), and that signature is made over a SHA-256 hash of the certificate's contents.

When a browser receives the certificate, it verifies the certificate authority’s signature as part of a wider certificate validation process. SHA-256 is commonly used as the hash function in the signature process.

Authentication

SHA-256 is widely used in authentication systems, especially for signing API requests, session tokens, and browser cookies, so servers can verify they haven't been modified. These systems usually combine SHA-256 with a secret key using a method called Hash-based Message Authentication Code (HMAC)-SHA256.

Is SHA-256 secure?

SHA-256 has been widely used in production systems since the early 2000s. No practical attack against its core security properties is publicly known, and it remains one of the standard hash functions used in digital signatures, TLS certificates, software verification, and many other security systems.

Why SHA-256 is still considered safe

SHA-256 is designed to resist three main types of attacks:

1. Preimage attack: The attacker has a hash and tries to work backward to find the original input. For example, they might have a file hash and try to discover the file that created it.
2. Second-preimage attack: The attacker has one known input and its hash, then tries to create a different input with the same hash. For example, they might try to replace a legitimate software file with a malicious one that produces the same hash.
3. Collision attack: The attacker tries to find any two different inputs that produce the same hash. They don’t need to match a specific existing file or message. They just need any two inputs with the same hash.

For SHA-256, all three attack types are considered computationally infeasible with current methods and hardware. The size of the hash is a major reason for this. A SHA-256 hash contains 256 bits, which means there are 2^256 possible outputs.

In a brute-force preimage attack, an attacker would need to guess inputs, hash each one, and check whether the result matches the target hash. The expected workload is on the order of 2^256 attempts. That number is larger than the estimated number of atoms in the observable universe, which puts it far beyond what current and foreseeable hardware can search.

SHA-256 collisions and why they matter

A collision happens when two different inputs produce the same hash. If attackers could intentionally create collisions in SHA-256, they could potentially replace one file or message with another while keeping the same hash value. That would weaken systems that rely on SHA-256 to verify that data hasn’t changed.

No practical collision attack against SHA-256 is publicly known. However, older hash functions have been broken this way.

One well-known example is SHA-1, an older member of the SHA family. In 2017, researchers from Centrum Wiskunde & Informatica (CWI) Amsterdam and Google created two different PDF files with the same SHA-1 hash in an attack known as SHAttered.

That result demonstrated a practical weakness in SHA-1, but it didn't carry over to SHA-256. SHA-256 has a different internal structure and a much larger output (256 bits versus SHA-1's 160 bits).

Can quantum computers break SHA-256?

Quantum computers could theoretically weaken SHA-256 against one type of attack, but not enough to make it breakable with foreseeable technology.

A quantum computer running Grover's algorithm, a quantum search method that speeds up brute-force searches, could reduce the difficulty of a preimage attack against SHA-256. Instead of requiring roughly 2^256 operations, the work would drop to roughly 2^128 operations.

That is a major reduction, but 2^128 operations is still far beyond what current or realistically foreseeable hardware can perform. It’s also comparable to the workload required for a classical collision attack against SHA-256, which remains out of reach.

Related: What is pass-the-hash attack?

SHA-256 vs. other hashing algorithms

SHA-256 is most often compared with SHA-1, the older standard it replaced, and SHA-512, its larger sibling in the SHA-2 family.

SHA-256 vs. SHA-1

SHA-1 was widely used in the late 1990s and 2000s. It produces 160-bit hashes and appears in security-sensitive systems such as TLS certificates, digitally signed software, and version control tools.

SHA-1 is now considered unsuitable for most security uses because researchers have shown practical collision attacks against it. Major browsers stopped accepting SHA-1 TLS certificates in 2017, and certificate authorities also stopped issuing new SHA-1 certificates.

SHA-256 offers a stronger security margin because it produces longer hashes and has no publicly known practical collision attack. Its 256-bit output gives systems far more resistance against brute-force and collision-based attacks than SHA-1’s 160-bit output.

SHA-1 still appears in some older systems and compatibility settings, but it shouldn’t be used for new designs.

SHA-256 vs. SHA-512

SHA-512 is also part of the SHA-2 family. It produces a 512-bit hash, processes data in 1024-bit chunks, and uses 64-bit internal arithmetic instead of SHA-256’s 32-bit arithmetic. On many 64-bit systems, this can make SHA-512 faster than SHA-256, despite its larger output.

A larger hash doesn’t translate into meaningful extra security for most uses. SHA-256 already makes collision attacks unrealistic with current methods and hardware, so pushing the security margin higher usually doesn’t change the practical risk.

SHA-512 can be a good fit when performance on 64-bit servers matters, when a protocol requires a larger hash output, or when a system already standardizes on SHA-512. For general use, SHA-256 remains the more common default.

Advantages and disadvantages of SHA-256

SHA-256 is widely used because it balances security, speed, and compatibility. But those same strengths can make it a poor fit for some tasks, especially when speed makes guessing attacks easier.

Advantages of SHA-256

Here are some of the advantages of SHA-256.

Proven track record

SHA-256 has held up to more than two decades of public scrutiny, with no publicly known practical break against the algorithm itself.

Fast and lightweight

Computing a SHA-256 hash is fast, even on ordinary hardware. A laptop can hash a large file in a fraction of a second, and busy servers can hash millions of items without slowing down. Many modern processors also include dedicated SHA-256 instructions (built-in shortcuts that let the chip compute these hashes faster than software alone).

Broad support and no licensing cost

SHA-256 works across major programming languages, operating systems, cryptographic libraries, and security protocols. It's free to use, with no patents or licensing restrictions that limit adoption.

Disadvantages of SHA-256

Some uses of SHA-256 come with trade-offs or additional security considerations.

Too fast for password storage

When a server uses hashing to store a password, it doesn’t keep the password itself. Instead, it stores a hash. When the user logs in, the server hashes the password they enter and checks whether the result matches the stored hash. Because hashes are designed to be one-way, a breached password database doesn’t directly reveal the original password.

The problem is that SHA-256 is fast. A modern graphics card can compute billions of SHA-256 hashes per second, so an attacker who steals password hashes can quickly test huge lists of likely passwords and compare the results. Short, reused, or common passwords can fail here, which is why password storage usually relies on slower, purpose-built password hashing functions instead.

Functions like bcrypt, scrypt, and Argon2 are built for exactly this. They run slowly on purpose, which limits how many guesses an attacker can test per second. They also add salting, which mixes random data into each password before hashing. That way, two people with the same password still get different hashes, so an attacker can't crack them all at once.

Vulnerable to length-extension attacks

Some systems check that data is genuine using a shared key. This is a secret string set up on both ends in advance, like an app and a server given the same value before they exchange any data. The data being checked could be an API request, login token, file, transaction instruction, or any other message one system sends to another.

The sender combines the message with the key, hashes them together, and sends the message with the hash attached. The receiver runs the same calculation and checks that the hashes match. A match is meant to confirm the message wasn’t changed on the way.

Because SHA-256 processes data in a chain, an attacker who has the hash and knows how long the key is can add their own data to the end of the message and produce a new hash that still matches, without ever knowing the key. The receiver may then accept the changed message as genuine.

Most systems avoid this by using HMAC-SHA256, a safer way to combine SHA-256 with a key. The problem only appears in this key-plus-message setup, not in other uses like checking files for tampering or verifying digital signatures.

FAQ: Common questions about SHA-256