SHA-256 Hash Generator
Compute SHA-256 hashes for text and files — hex and base64 output, runs in your browser
SHA-256 is the hash function you’ll encounter most often in modern software — it secures Bitcoin transactions, TLS certificates, code signing, AWS request authentication, and Git object storage. When you need to compute a SHA-256 hash without installing tools or sending data to an unknown server, this tool does it entirely in your browser.
What Is SHA-256?
SHA-256 (Secure Hash Algorithm 256-bit) is a member of the SHA-2 family, designed by the NSA and published by NIST in 2001. It takes any input — a byte, a sentence, a 4GB file — and produces a deterministic 256-bit (32-byte) output, typically represented as 64 hexadecimal characters.
Input: "Hello, World!"
Output: dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986dSHA-256’s three core security properties:
- Pre-image resistance: Given a hash output, it is computationally infeasible to find the original input.
- Second pre-image resistance: Given an input and its hash, it is infeasible to find a different input with the same hash.
- Collision resistance: It is infeasible to find any two different inputs that produce the same output.
No practical attacks against SHA-256’s collision resistance have been demonstrated. SHA-256 is considered secure for all current use cases.
SHA-256 Output Formats
This tool outputs SHA-256 hashes in two formats:
Hexadecimal (hex) — 64 lowercase characters:
dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986dBase64 — 44 characters (including padding =):
3/1gIbsr1bCvZ2KQgJ7DpTGR3YHH9wpLKGiKNiGCmG8=Hex is the conventional format for checksums and file integrity. Base64 is common in HTTP headers (e.g., Content-Digest), JWT signatures, and API authentication tokens. Both encode the same 32-byte hash value.
Common Use Cases
File Integrity Verification
The most visible use of SHA-256 is verifying file downloads. Operating system ISOs, software packages, and firmware updates publish their SHA-256 checksums so you can verify the file wasn’t corrupted or tampered with:
# Linux / macOS
sha256sum ubuntu-24.04-desktop-amd64.iso
# Compare output with the .sha256 file from the official site
# macOS alternative
shasum -a 256 ubuntu-24.04-desktop-amd64.iso
# Windows (PowerShell)
Get-FileHash ubuntu-24.04-desktop-amd64.iso -Algorithm SHA256TLS Certificates and HTTPS
Every TLS certificate uses SHA-256 for its signature algorithm (sha256WithRSAEncryption or ecdsa-with-SHA256). The certificate’s fingerprint — visible in browser security details — is a SHA-256 hash of the certificate’s DER encoding.
Code Signing
Software publishers sign their packages with SHA-256 hashes to ensure authenticity:
# Sign a file (OpenSSL)
openssl dgst -sha256 -sign private.pem -out signature.bin file.zip
# Verify the signature
openssl dgst -sha256 -verify public.pem -signature signature.bin file.zipAWS Signature Version 4
AWS API authentication requires computing SHA-256 hashes of the request body:
import hashlib
payload = b'{"Action": "DescribeInstances"}'
payload_hash = hashlib.sha256(payload).hexdigest()
# Use in Authorization header constructionBitcoin and Blockchain
SHA-256 is used twice (SHA-256d) in Bitcoin’s proof-of-work algorithm and for creating Bitcoin addresses. The SHA-256 double-hash of a transaction produces the transaction ID (TXID) visible in block explorers.
Git Object Storage
Git identifies every file, commit, and tree object by its SHA-1 hash (legacy) or SHA-256 hash (Git 2.29+ with --object-format=sha256). The 40-character commit hashes you see in git log are SHA-1; future repositories will use SHA-256.
SHA-256 in Code
// Browser — Web Crypto API
async function sha256(text) {
const buffer = await crypto.subtle.digest(
'SHA-256',
new TextEncoder().encode(text)
);
return Array.from(new Uint8Array(buffer))
.map(b => b.toString(16).padStart(2, '0'))
.join('');
}
const hash = await sha256('Hello, World!');
// "dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d"// Node.js — built-in crypto
const crypto = require('crypto');
const hash = crypto.createHash('sha256').update('Hello, World!').digest('hex');
// "dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d"
// File hash
const fs = require('fs');
const hash = crypto.createHash('sha256');
hash.update(fs.readFileSync('file.zip'));
console.log(hash.digest('hex'));import hashlib
# Hash a string
text_hash = hashlib.sha256(b'Hello, World!').hexdigest()
# "dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d"
# Hash a file efficiently (streaming)
sha256 = hashlib.sha256()
with open('large-file.zip', 'rb') as f:
while chunk := f.read(65536):
sha256.update(chunk)
print(sha256.hexdigest())import (
"crypto/sha256"
"fmt"
)
h := sha256.Sum256([]byte("Hello, World!"))
fmt.Sprintf("%x", h)
// "dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d"use sha2::{Sha256, Digest};
let mut hasher = Sha256::new();
hasher.update(b"Hello, World!");
let result = hasher.finalize();
println!("{:x}", result);SHA-256 vs Other Hash Algorithms
| Algorithm | Output | Status | Use When |
|---|---|---|---|
| MD5 | 128-bit | Broken | File checksums only (not security) |
| SHA-1 | 160-bit | Deprecated | Legacy compatibility only |
| SHA-256 | 256-bit | Secure | General purpose — default choice |
| SHA-512 | 512-bit | Secure | 64-bit systems, extra margin |
| SHA-3/256 | 256-bit | Secure | When SHA-2 resistance is required |
| BLAKE3 | 256-bit | Secure | High-performance hashing |
SHA-256 is the right default for almost every use case. SHA-512 is faster on 64-bit hardware and offers a larger security margin, but produces longer output. SHA-3 uses a completely different construction (Keccak sponge) and is the fallback if SHA-2 vulnerabilities were discovered.
Hash Verification Workflow
The Verify tab lets you paste text alongside a known SHA-256 hash to confirm they match. This is useful when:
- A developer shares a configuration value and its expected hash for integrity checking
- You want to verify that a stored hash matches a piece of data
- You’re debugging a SHA-256 implementation and want to check expected values
Both hex and base64 formats are accepted in the verification input field.
Frequently Asked Questions
Is SHA-256 the same as SHA-2? SHA-2 is a family of hash functions; SHA-256 is the 256-bit member. The family also includes SHA-224, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
Can I use SHA-256 to hash passwords? No. SHA-256 is designed to be fast — a modern GPU can compute hundreds of millions of SHA-256 hashes per second. Passwords must be hashed with a slow, memory-hard algorithm: bcrypt, Argon2, or scrypt. Use the bcrypt generator on this site for password hashing.
Is this SHA-256 generator private?
Yes. All computation happens using crypto.subtle.digest('SHA-256', ...) in your browser. No input text or files are transmitted to any server.
Why does changing one character completely change the output? This is the avalanche effect — a deliberate design property of SHA-256. It ensures that similar inputs produce completely uncorrelated outputs, making it impossible to infer anything about the input from the output.
What is the probability of two inputs having the same SHA-256 hash? SHA-256 produces 2^256 possible values. By the birthday paradox, you’d need approximately 2^128 random inputs before expecting a collision — a number so large it’s computationally impossible to reach with any foreseeable technology.