Skip to content

← All writing

SHA-256 Explained: What It Is and Why It's Everywhere

· by Andergrove Software

SHA-256 is a cryptographic hash function: feed it any data — a word, a password, a 4 GB video — and it returns a fixed 256-bit fingerprint, written as 64 hexadecimal characters. The same input always produces the same fingerprint, the tiniest change produces a completely different one, and you cannot run it backwards to recover the original. Those three properties are why SHA-256 quietly underpins passwords, downloads, certificates, Git and Bitcoin.

Here is what that actually means, with a worked example you can reproduce in the hash generator as you read.

What is a hash function?

A hash function maps data of any size to a fixed-size output. A cryptographic hash like SHA-256 adds guarantees that make it safe for security work:

  • Deterministic — the same input always gives the same output.
  • Fixed length — the output is always 256 bits, whether the input is one byte or a gigabyte.
  • One-way — given a hash, there is no practical way to compute the input that produced it. You can only guess and check.
  • Avalanche effect — flip a single bit of the input and roughly half the output bits change. There is no relationship between similar inputs.
  • Collision-resistant — it is computationally infeasible to find two different inputs with the same hash.

A worked example

Hash the lowercase word hello with SHA-256 and you always get:

2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Now change just the first letter to a capital — Hello:

185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

One character changed, and the entire fingerprint is unrecognisably different. That is the avalanche effect, and it is what makes a hash a reliable way to detect any change, however small.

What the "256" means

The number is the size of the output in bits — 256 bits, or 32 bytes, shown as 64 hex characters. SHA-256 is part of the SHA-2 family, which also includes SHA-384 and SHA-512 (larger outputs, more headroom). Its older sibling, SHA-1, produces 160 bits and is now considered broken for security use because collisions have been demonstrated — prefer SHA-256 or larger.

What SHA-256 is used for

  • File integrity. Download sites publish a SHA-256 checksum next to a file. Hash your copy and compare — if the values match, the file arrived intact and untampered.
  • Password storage. Sites never store your raw password. They store a hash (with a per-user salt and a deliberately slow algorithm) so a leaked database does not hand over the passwords directly.
  • Digital signatures and certificates. TLS certificates and signed software hash the content first, then sign the hash. The hash is the compact stand-in for the whole document.
  • Version control. Git identifies every commit and file by its hash, which is how it detects corruption and de-duplicates content.
  • Blockchains. Bitcoin's proof-of-work is essentially a giant search for an input whose SHA-256 hash starts with enough zeros.

What SHA-256 is not

  • It is not encryption. Encryption is reversible with a key; hashing is a one-way street with no key and no "decrypt." If a site claims to "decrypt" a SHA-256 hash, it is really just looking the value up in a table of pre-computed guesses.
  • It is not, by itself, enough for passwords. Plain SHA-256 is too fast, which helps attackers guess billions of candidates per second. Real password storage uses a salt plus a slow, purpose-built function (bcrypt, scrypt, Argon2). SHA-256 is the right tool for integrity, not for raw password hashing.

Common misconceptions

  • "It compresses my data." No — you cannot get the original back. A hash is a fingerprint, not a zip file.
  • "Two files could never share a hash." In theory collisions exist (the output is finite); in practice, for SHA-256, nobody has ever found one and it is considered infeasible.
  • "Longer input, longer hash." The output is always 64 hex characters, regardless of input size.

Try it yourself

The clearest way to build intuition is to hash things and watch the output. The Andergrove Hash Generator computes SHA-1, SHA-256, SHA-384 and SHA-512 of text or a file live, using your browser's Web Crypto API — nothing is uploaded, so it is safe for sensitive input. Type hello, then change one letter, and watch the whole fingerprint change.

If you are working with authenticated messages or API signatures, the HMAC Generator builds on the same hash functions with a secret key.