SHA-256 is a cryptographic hash function that produces a 256-bit (32-byte) digest of any input. It belongs to the SHA-2 family, designed by the NSA and published by NIST in 2001 as part of the FIPS 180-2 standard. It's the most-used hash function in the world in 2026: the base of modern TLS, of Bitcoin, of digital signatures, of file integrity verification, of JWT with HS256 algorithm, of Git for identifying commits and of practically any protocol needing to verify data without revealing content. It remains secure and recommended by NIST, IETF and most international bodies for general use.
This guide explains what SHA-256 actually is, how it works internally (Merkle-Damgård with 64 rounds over 512-bit blocks), the four cryptographic properties that make it useful, the six real use cases appearing in any modern system, the practical comparison with SHA-1 (broken since 2017), SHA-3 (formal alternative) and BLAKE3 (the modern non-NIST option), common mistakes in real applications (especially password storage) and when migrating to something different makes sense.
What SHA-256 is
SHA-256 is a cryptographic hash function that takes input of any size and always returns a 256-bit digest (usually represented as 64 hexadecimal characters). The acronym stands for Secure Hash Algorithm 2, 256-bit variant. Part of the SHA-2 family, which also includes SHA-224, SHA-384, SHA-512, SHA-512/224 and SHA-512/256.
Concrete example:
SHA-256("hello world") = 0b894166d3336435c800bea36ff21b29eaa801a52f584c006c49289a0dcf6e2f
SHA-256("hello World") = 00256edc2cabb60f547b376373e936ac4a5ba78a0ca00960eea3703ac2a707c5
One different letter produces a completely different digest: the "avalanche effect" property.
What it gives operationally:
- Integrity verification of files, messages, downloads.
- Unique identifiers for arbitrary data (Git commits, CDN content, IPFS).
- Digital signature construction combined with asymmetric cryptography (RSA, ECDSA).
- Proof of work in blockchain systems.
- Cryptographic commitment: publishing the hash of a value proves it was known before being revealed.
The four properties that make it useful
A serious cryptographic hash function meets four properties:
Determinism
Same input always produces same output. Without it, they wouldn't be useful for verification.
Preimage resistance
Given a hash H, it's computationally infeasible to find input m such that SHA-256(m) = H. The only known way is brute force, which for 256 bits is practically impossible even with specialised hardware.
Second preimage resistance
Given a message m1, it's infeasible to find m2 ≠ m1 such that SHA-256(m1) = SHA-256(m2). The property preventing signature forgery by modifying the document.
Collision resistance
It's infeasible to find any two messages m1 and m2 such that SHA-256(m1) = SHA-256(m2). Weaker than second preimage, but also easier to attack (birthday paradox: 2^128 operations instead of 2^256). For SHA-256, those 2^128 remain unreachable with current technology.
Two more practical properties on top:
- Avalanche effect: a minimal input change produces massive changes in the hash.
- Fixed output size: 256 bits always, regardless of input size.
How it works internally
SHA-256 follows the Merkle-Damgård construction. Simplified steps:
- Padding. The input gets completed with bits so its length is a multiple of 512. A bit 1 gets added, then zeros, and at the end 64 bits indicating the original length.
- Block division of 512 bits.
- Initialisation of the internal state with 8 constant 32-bit values (
H0toH7) derived from the square roots of the first 8 prime numbers. - 64 rounds per block. Each round mixes the state with the current block using logical operations (AND, OR, XOR, NOT), rotations, modular sums and a specific constant derived from the cube roots of the first 64 primes.
- Compression. After processing each block, the result mixes with the previous state.
- Output. After processing every block, the final 8 state values get concatenated forming the 256-bit hash.
The design is meant to be efficient on general hardware and resistant to known cryptanalysis techniques.
Six real use cases
TLS and X.509 certificates
SHA-256 signs certificates issued by public and private CAs. The Signature Algorithm field in a modern X.509 certificate usually says sha256WithRSAEncryption or ecdsa-with-SHA256. When a browser connects to https://secra.es, it validates the certificate chain by verifying SHA-256 signatures. More context in the PKI guide.
Bitcoin and blockchain
Bitcoin uses SHA-256 twice (SHA-256(SHA-256(x))) for almost everything: block hashing (proof of work), transaction hashing (TXID), Merkle tree construction of transactions, P2PKH address derivation. Mining ASICs are hardware specifically designed to execute billions of SHA-256 operations per second.
JWT with HS256 and RS256
JSON Web Tokens signed with HMAC-SHA256 (HS256) or RSA-SHA256 (RS256). HS256 signs with shared key; RS256 signs with private key and verifies with public key. SHA-256 is the cryptographic engine under the signature. More context in the JWT security guide.
Download integrity
Official pages of open source projects publish the SHA-256 hash of the downloadable binary. The user verifies the file hasn't been altered in transit or in the mirror by computing the local SHA-256 and comparing.
$ sha256sum download.iso
0b894166d3336435c800bea36ff21b29eaa801a52f584c006c49289a0dcf6e2f download.iso
Git and version control systems
Git identifies each commit, blob and tree with a SHA-1 hash (legacy) and since Git 2.42 (2023) optionally SHA-256. Each commit references its tree and parents by hash. The integrity of the entire repository history depends on that chain.
Cryptographic commitment and proof of existence
Publishing the hash of a document is public proof it was known before the publication date, without revealing the content. Digital notarisation systems, public blockchain, qualified timestamps (TSA under eIDAS) use SHA-256 as the base.
SHA-1, SHA-256, SHA-3 and BLAKE3
Practical comparison to understand what to use in 2026.
SHA-1 (1995, 160 bits, BROKEN)
Designed by NSA, published by NIST. Considered secure until 2005, when the first warnings appeared. In 2017 the SHAttered team from Google and CWI Amsterdam published the first real collision (two different PDFs with the same SHA-1). Since then, NIST and the industry have retired SHA-1 from every critical use: TLS rejects it since 2017, public CAs don't issue certificates with SHA-1, Git keeps it for compatibility while migrating.
Don't use for anything new. Replace where legacy appears.
SHA-256 (2001, 256 bits, SECURE)
The SHA-2 family (224, 256, 384, 512) remains secure. NIST recommends it. The industry uses it by default for almost everything. SHA-256 is the sweet spot between security and performance; SHA-512 is somewhat faster on 64-bit systems but produces longer hashes that aren't always needed.
Recommended for general use in 2026.
SHA-3 / Keccak (2015, 224/256/384/512 bits)
Designed by an independent team (Bertoni, Daemen, Peeters, Van Assche). NIST standardised it in FIPS 202 as a formal alternative to SHA-2 in case a serious flaw appeared in SHA-2. Different internal construction (sponge instead of Merkle-Damgård), making it resistant to attacks that would affect SHA-2.
Doesn't replace SHA-2 in production. Coexists as an additional option. Slower than SHA-2 on CPUs without specific instructions.
Use when cryptographic diversity is required or for specific compliance.
BLAKE2 and BLAKE3 (2012/2020)
Designed by Aumasson and others. Not NIST-standardised but widely adopted in modern software. BLAKE3 (2020) is notably faster than SHA-2 on modern CPUs, supports massive parallelisation and native Merkle trees. Used in Cloudflare, Solana, IPFS, modern rsync, backup tools.
Technically superior in performance; less accepted in NIST-regulated environments.
Common mistakes in real applications
What appears in audits and pentests where SHA-256 gets used badly.
Storing passwords with raw SHA-256
Manual error. SHA-256 alone is too fast: a modern GPU computes billions of hashes per second, which allows very fast brute force and dictionary attacks against a leaked database.
The correct way is using password derivation functions designed to be slow and memory-costly: Argon2id (recommended in 2026), scrypt, bcrypt or PBKDF2 with many thousands of iterations. All internally use hash functions, but add a unique per-user salt and controlled computational cost.
Missing or reused salt
Without salt, two users with the same password have the same hash, allowing rainbow tables and revealing matches. The salt must be unique per user, random, sufficiently long (16+ bytes) and stored alongside the hash (it isn't a secret).
Truncating the hash to fewer bits
Some designers reduce the 256 bits to 64 or 128 to save storage. Collision resistance falls proportionally. For 128 truncated bits, collisions become viable on powerful hardware. Truncating is only acceptable when the threat model explicitly justifies it.
Using HMAC as a simple hash
HMAC-SHA256 requires a secret key for its output to be authenticated. If the code stores the key alongside the hash or derives it from something public, it stops providing authentication. Well-applied HMAC is an excellent tool; misapplied, it reduces to a slower hash.
Comparing hashes with ==
Non-constant time comparison allows timing attacks. Modern cryptographic libraries (crypto.subtle.timingSafeEqual in Node, hmac.compare_digest in Python, constant_time in Go) are mandatory for comparing cryptographic values.
Trusting legacy SHA-1 hash
Old systems still signing internal certificates with SHA-1, Git repositories with SHA-1 without migration, integrity systems publishing SHA-1 checksums. Migrate all to SHA-256 before an exploitable case appears.
Migration: when to leave SHA-256
SHA-256 remains secure in 2026. Situations that justify migrating:
- Required cryptographic diversity. Some regulatory frameworks or intelligence agencies require using different families in different layers. SHA-3 covers this requirement.
- Critical performance. BLAKE3 offers several times better performance on modern CPUs. Useful in streaming, deduplication, at-scale hashes (CDN, IPFS).
- Quantum computing. When quantum computers become viable at cryptographic scale (not before 2030-2035 per current consensus), Grover's algorithm will reduce SHA-256's effective resistance to half (128 bits). Safe today, will remain so for years more. SHA-384 or SHA-512 give additional margin when quantum gets close.
For general use in modern applications in 2026, SHA-256 doesn't need immediate migration.
Compliance fit
SHA-256 appears directly or indirectly in regulatory frameworks:
- eIDAS (EU Regulation 910/2014 and 2024/1183). Qualified electronic signatures use SHA-256 (or higher variants) as the reference hash algorithm.
- NIS2 (article 21). Technical measures including encryption and authentication. Implementation with modern primitives (SHA-2, SHA-3) is required.
- DORA (article 9). ICT risk management in financial services. Cryptographic algorithms per current best practices.
- ISO 27001:2022 (controls 8.24, 8.25, 8.26). Cryptography use, development lifecycle, application security requirements.
- PCI DSS v4.0 (req. 4 and 8). Robust cryptographic algorithms for card data and authentication.
- FIPS 140-3. SHA-256 is approved for use in US federal cryptographic modules; relevant for Spanish companies selling to US public sector.
Frequently asked questions
Has SHA-256 been broken?
No. In 2026 it remains secure. There's no known attack that breaks preimage, second preimage or collision in SHA-256 with reasonable effort. The best theoretical attack against collisions is still brute force (2^128 operations), unreachable with current technology.
How many combinations does a SHA-256 hash have?
2^256, which in decimal notation is approximately 1.16 × 10^77. Comparable to the estimated number of atoms in the observable universe. Trying every combination is physically impossible with classical technology.
Difference between SHA-256 and SHA-512?
Same Merkle-Damgård design but with different internal blocks (SHA-256 works with 32-bit words, SHA-512 with 64-bit) and different number of rounds. SHA-512 produces a longer hash (512 bits) and is faster on native 64-bit systems. For general use, SHA-256 remains the default.
Can I use SHA-256 for passwords?
Only inside a key derivation function (KDF) like Argon2id, scrypt, bcrypt or PBKDF2. Raw SHA-256 without salt and without iterations is insecure because modern GPUs compute billions per second.
Is Bitcoin still secure with SHA-256?
Yes. The use of double SHA-256 in Bitcoin hasn't been compromised. What has changed is mining difficulty: specialised hardware (ASICs) has made it almost impossible for a regular machine to contribute. Cryptography remains robust; what changes is the mining economy.
What about SHA-256 when quantum computing arrives?
Grover's algorithm reduces SHA-256's effective resistance against preimage from 256 to 128 bits, enough for many uses. The quantum concern is much greater with asymmetric cryptography (RSA, ECDSA), which falls with Shor's algorithm. For hashes, SHA-384 or SHA-512 give extra margin. Formal post-quantum migration is underway (NIST PQC).
Difference between hash and encryption?
The hash is one-way: from the hash you don't recover the input. Encryption is reversible with the key: from the ciphertext you recover the original. Hash serves for integrity and verification; encryption serves for confidentiality. They aren't interchangeable.
Related resources
- What is PKI: infrastructure where certificates get signed with SHA-256 (or higher variants) by default.
- What is JWT and token security: token format whose HS256 and RS256 signatures rely on SHA-256.
- What is CORS: browser mechanism adjacent to auth and message signing.
- What is Man in the Middle: vector SHA-256 helps mitigate through signature and integrity.
- Web application pentesting: where cryptographic implementations get audited in applications.
- API pentesting REST and GraphQL: audit of token signing and cryptographic validation.
Cryptographic audit at Secra
At Secra we review the use of SHA-256 and related cryptographic primitives as a standard part of web and API audits: validation of token signing algorithms, password storage (Argon2id vs raw hash), correct HMAC use, constant-time comparison, TLS configuration with SHA-256 or higher, integration with HSM or corporate PKI. If your organisation has legacy applications with old cryptography, is implementing electronic signature under eIDAS or has never audited the real use of cryptographic primitives, get in touch via contact or check our web and mobile audit service.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.