Understanding SHA-256 Hash: How It Works and Why It Matters

What is SHA-256?

SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function that produces a fixed-size 256-bit (32-byte) digest from any input. It belongs to the SHA-2 family, designed by the NSA and published by NIST in 2001. No matter the input size—whether a single character or a terabyte file—SHA-256 always outputs a 64-character hexadecimal string.

SHA-256("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
SHA-256("Hello") = 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

Notice how a tiny change in input (lowercase vs uppercase) produces a completely different hash. This is called the avalanche effect—a fundamental property of cryptographic hash functions.

Key Properties of SHA-256

1. Deterministic: The same input always produces the same hash
2. One-way: It’s computationally infeasible to reverse a hash back to its input
3. Collision-resistant: Finding two different inputs that produce the same hash is extremely unlikely
4. Avalanche effect: A small change in input drastically changes the output
5. Fixed output size: Always 256 bits, regardless of input size

How SHA-256 Works (Simplified)

SHA-256 processes data in 512-bit blocks through 64 rounds of mathematical operations. Here’s a simplified overview:

1. Pre-processing: Pad the message so its length is a multiple of 512 bits
2. Initialize hash values: Start with eight 32-bit constants derived from fractional parts of square roots of the first 8 primes
3. Process each block: For each 512-bit block:
   • Expand the 16 words into 64 words
   • Run 64 rounds of compression using bitwise operations (AND, XOR, ROTR, SHR) and modular addition
   • Update the hash values
4. Output: Concatenate the eight 32-bit hash values to produce the 256-bit digest

// Computing SHA-256 in the browser
async function sha256(message) {
  const encoder = new TextEncoder();
  const data = encoder.encode(message);
  const hashBuffer = await crypto.subtle.digest('SHA-256', data);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}

sha256('hello').then(hash => console.log(hash));
// "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"

You can compute SHA-256 hashes instantly using the hash generator tool on CodeKit.

SHA-256 vs MD5

MD5 was once the most popular hash function, but it’s now considered broken. Here’s how SHA-256 compares:

Property	MD5	SHA-256
Output size	128 bits	256 bits
Hash length	32 hex chars	64 hex chars
Collision attacks	Practical	Not feasible
Speed	Faster	Slower
Security status	Broken	Secure
Recommended	No	Yes

Why MD5 is Broken

In 2004, researchers demonstrated practical collision attacks against MD5—finding two different inputs that produce the same hash. This means an attacker could create a malicious file with the same MD5 hash as a legitimate one.

// MD5 collision example (conceptual)
// These two different inputs produce the same MD5 hash:
// md5(input1) === md5(input2) — this is possible with MD5!

// SHA-256: No practical collisions have ever been found

Never use MD5 for security purposes. If you need backward compatibility with legacy systems, consider SHA-256 as a drop-in replacement.

Practical Use Cases

1. Password Hashing

Never store passwords in plain text. Hash them with a salt using a dedicated password hashing function:

// Good: Use bcrypt, scrypt, or Argon2 for passwords
// SHA-256 alone is NOT ideal for passwords (too fast for brute-force resistance)

// If you must use SHA-256, at least use HMAC with a salt:
const crypto = require('crypto');
const salt = crypto.randomBytes(16);
const hash = crypto.pbkdf2Sync('password', salt, 100000, 64, 'sha512');

2. Data Integrity Verification

SHA-256 is perfect for verifying that files haven’t been tampered with:

// Verifying a downloaded file
const fileBuffer = fs.readFileSync('downloaded-file.zip');
const hash = crypto.createHash('sha256').update(fileBuffer).digest('hex');

if (hash === expectedHash) {
  console.log('File integrity verified!');
} else {
  console.log('File has been modified!');
}

3. Digital Signatures

SHA-256 is used in SSL/TLS certificates, code signing, and document signing to ensure authenticity.

4. Blockchain

Bitcoin and many other cryptocurrencies use SHA-256 as their core hashing algorithm for proof-of-work and transaction verification.

5. Git Commit Hashes

Git uses SHA-1 (historically) and is transitioning to SHA-256 for identifying commits, trees, and blobs.

Hash Collisions Explained

A hash collision occurs when two different inputs produce the same hash output. Due to the pigeonhole principle, collisions must exist for any hash function—there are infinitely many possible inputs but only finitely many outputs.

However, for SHA-256, finding a collision would require approximately 2^128 operations (by the birthday paradox), which is computationally infeasible with current and foreseeable technology. To put this in perspective, if every computer on Earth checked a billion hashes per second, it would still take far longer than the age of the universe to find a collision.

Performance Considerations

SHA-256 is slower than MD5 but fast enough for most applications. Here are approximate speeds on modern hardware:

Operation	Speed
Small strings	< 1ms
1 MB file	~2ms
1 GB file	~2 seconds

For password hashing, the slowness of SHA-256 is actually not enough—use purpose-built functions like bcrypt or Argon2 that are intentionally slow to resist brute-force attacks.

Conclusion

SHA-256 is a robust, widely-trusted cryptographic hash function that plays a critical role in modern security infrastructure. Whether you’re verifying file integrity, implementing authentication, or building distributed systems, understanding SHA-256 is essential. Just remember: hashing is for integrity and verification, not for storing passwords—use dedicated password hashing functions for that.

Ready to compute some hashes? Try the hash generator on CodeKit—it supports SHA-256, MD5, SHA-1, and more, all running locally in your browser.