SHA-256 Hash Generator — Hash Text and Files with SHA-256

SHA-256 generates a 256-bit (32-byte) cryptographic hash — a fixed-length fingerprint of any input. The same input always produces the same output. Any change to the input produces a completely different output. And it’s computationally infeasible to reverse the hash to recover the original data.

Use the Hash Generator to generate SHA-256, SHA-512, MD5, and other hashes instantly in your browser.

What SHA-256 produces

Input: "Hello, World!"
SHA-256: dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d

Input: "Hello, World" (no exclamation mark)
SHA-256: 03675ac53ff9cd1535ccc7dfcdfa2c458c5218371f418dc136f2d19ac1fbe8a5

Completely different outputs for nearly identical inputs — this is the “avalanche effect.”

Always 64 hexadecimal characters (256 bits ÷ 4 bits/hex digit = 64 digits), regardless of input size. A single character produces a 64-char hash; a 1GB file produces the same 64-char hash format.

What SHA-256 is used for

File integrity verification

Software distributions publish SHA-256 checksums alongside downloads. After downloading, you verify the file hasn’t been corrupted or tampered with:

# Check the official checksum:
sha256sum ubuntu-24.04-desktop-amd64.iso
# Should match: 45f873de9f8cb637345d6e66a583762730bbea30277ef7b32c9c3bd6700a32b2

# macOS:
shasum -a 256 ubuntu-24.04-desktop-amd64.iso

If even one bit was flipped in transit, the hash is completely different.

Digital signatures

SHA-256 is the hash function in most certificate chains and digital signatures. The signature process:

1. Hash the document with SHA-256
2. Encrypt the hash with the signer’s private key
3. Recipient decrypts with public key, re-hashes the document, compares

If the hashes match, the document is authentic and unmodified. This is how HTTPS certificates and code signing work.

HMAC authentication

HMAC-SHA256 (Hash-based Message Authentication Code) is used in API authentication:

HMAC = SHA256(secret_key + message)

The server and client share a secret key. The client includes the HMAC in the request; the server recalculates it. If they match, the request is authentic and came from someone who knows the key.

AWS Signature Version 4, Stripe webhooks, and most modern API auth schemes use HMAC-SHA256.

Password hashing — but not directly

SHA-256 alone is wrong for password storage. It’s too fast: a modern GPU can compute 10 billion SHA-256 hashes per second, making brute-force attacks fast.

Password hashing must use a slow function: bcrypt, Argon2, or scrypt. These deliberately add iteration delays to make brute-force expensive.

SHA-256 is used as a component inside bcrypt and PBKDF2, but the slow outer function is what makes password hashing secure.

Blockchain

Bitcoin uses double-SHA256 (SHA256(SHA256(data))) for block hashes and transaction IDs. Ethereum uses Keccak-256 (a SHA-3 variant). The proof-of-work algorithm (mining) is finding an input that produces a hash starting with a certain number of zeros.

How to generate SHA-256 in code

JavaScript (browser — SubtleCrypto)

async function sha256(text) {
  const encoder = new TextEncoder();
  const data = encoder.encode(text);
  const hashBuffer = await crypto.subtle.digest('SHA-256', data);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}

const hash = await sha256('Hello, World!');
console.log(hash);
// "dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d"

Node.js

const crypto = require('crypto');

// Text hashing:
const hash = crypto.createHash('sha256')
  .update('Hello, World!', 'utf8')
  .digest('hex');
console.log(hash);

// File hashing:
const fs = require('fs');
const fileBuffer = fs.readFileSync('file.txt');
const fileHash = crypto.createHash('sha256')
  .update(fileBuffer)
  .digest('hex');

// HMAC-SHA256:
const hmac = crypto.createHmac('sha256', 'secret-key')
  .update('message')
  .digest('hex');

Python

import hashlib

# Text hashing:
text = 'Hello, World!'
hash_value = hashlib.sha256(text.encode('utf-8')).hexdigest()
print(hash_value)

# File hashing (memory-efficient for large files):
def hash_file(filepath):
    h = hashlib.sha256()
    with open(filepath, 'rb') as f:
        for chunk in iter(lambda: f.read(8192), b''):
            h.update(chunk)
    return h.hexdigest()

# HMAC-SHA256:
import hmac
mac = hmac.new(b'secret-key', b'message', hashlib.sha256)
print(mac.hexdigest())

Command line

# Linux:
echo -n "Hello, World!" | sha256sum
# dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d  -

# File:
sha256sum filename.txt

# macOS:
echo -n "Hello, World!" | shasum -a 256

# Windows PowerShell:
Get-FileHash -Algorithm SHA256 filename.txt

Note: echo -n (without -n on macOS, use printf) prevents appending a newline to the hash input.

SHA-256 vs other hash algorithms

Algorithm	Output size	Speed	Security	Use for
MD5	128 bits	Very fast	Broken (collision attacks)	Checksums only, never security
SHA-1	160 bits	Fast	Broken	Deprecated, migrate to SHA-256
SHA-256	256 bits	Fast	Strong	Signatures, HMAC, checksums
SHA-512	512 bits	Fast (faster on 64-bit)	Stronger	Long-term signatures
SHA-3/Keccak	Variable	Moderate	Strong	Alternative SHA-2
bcrypt	Variable	Slow (by design)	Strong	Passwords only
Argon2	Variable	Slow (configurable)	Strongest	Passwords, key derivation

Use SHA-256 for: File integrity, digital signatures, HMAC authentication, checksums.
Never use MD5 or SHA-1 for security: Both have known collision vulnerabilities.
Use bcrypt/Argon2 for passwords: SHA-256 is not suitable for password storage.

Related tools

• Hash Generator — generate SHA-256, SHA-512, MD5 hashes
• Why MD5 Is Dead — SHA-256 as the replacement
• Password Generator — cryptographically secure passwords