CiphersOnline
Encryption Online
Hashing
SHA-256

SHA-256 Hash Generator

Generate a SHA-256 hash from text online. Type or paste a message to calculate its 256-bit digest as a 64-character lowercase hexadecimal string, then copy the result. Processing runs locally in your browser with the Web Crypto API, and the algorithm selector also lets you compare SHA-256 with other supported hash functions.

Input
0 chars · 0 bytes
Try:
Hash
✓ Client-side processing only ✓ Input is not sent to server
Examples
Empty string
Input (empty)
Output e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

The SHA-256 hash of an empty input is a well-known constant.

Plain text
Input hello world
Output b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9

A short message produces a 64-character hex string of fixed length.

Avalanche effect
Input Hello world
Output 64ec88ca00b268e5ba1a35678a1b5316d212f4f366b2477232534a8aeca37f3c

Changing one bit (lowercase h → uppercase H) completely changes the hash — the avalanche effect.

Standard SHA-256 test vector
Input The quick brown fox jumps over the lazy dog
Output d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592

A widely used test vector for checking that a SHA-256 implementation returns the expected digest.

What is SHA-256?

SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function in the SHA-2 family. It converts input of any length into a fixed 256-bit (32-byte) digest, normally written as 64 hexadecimal characters. This online SHA-256 calculator displays the digest in lowercase hex.

SHA-256 is deterministic: identical input bytes always produce the same hash. It is also designed to be one-way and collision-resistant. In practical terms, the digest can identify or verify data, but it cannot be decrypted to reveal the original text. SHA-256 is hashing, not encryption.

Where SHA-256 is used

SHA-256 checks whether content changed by comparing a newly calculated digest with a trusted value. Common uses include software download checksums, content identifiers, digital-signature workflows, certificate fingerprints, and data deduplication. Bitcoin uses SHA-256 in proof-of-work and double-SHA-256 for several identifiers.

SHA-256 is also a component inside keyed and password-based constructions. HMAC-SHA-256 authenticates messages, API requests, and HS256 JWTs with a secret key; PBKDF2-HMAC-SHA-256 derives keys through repeated hashing. A plain SHA-256 digest does not provide those protections by itself and should not replace HMAC, a digital signature, or a password-hashing function.

How to use the SHA-256 hash generator
  1. Type or paste the text you want to hash into the input field.
  2. Keep SHA-256 selected in the algorithm menu.
  3. The generator calculates the digest in your browser and shows a 64-character hexadecimal result.
  4. Use the copy button to place the SHA-256 hash on your clipboard.

The calculator hashes the exact UTF-8 bytes of your text. Letter case, spaces, punctuation, Unicode characters, and line endings are significant, so preserve them when reproducing or verifying a hash. You can switch the algorithm menu to compare the same text with SHA-512, SHA-3, BLAKE2, SHA-1, MD5, or CRC32.

How the SHA-256 algorithm works

SHA-256 first encodes the message as bytes, appends padding and the message length, and divides the result into 512-bit blocks. Each block passes through 64 rounds of bitwise operations, modular additions, constants, and message-schedule values. The final internal state consists of eight 32-bit words, which together form the 256-bit digest.

A tiny input change should alter roughly half of the output bits, a property called the avalanche effect. For an ideal 256-bit hash, generic preimage search requires about 2256 attempts and generic collision search about 2128. SHA-256 remains suitable for modern integrity and cryptographic protocols when used in the correct construction.

FAQ

No. SHA-256 is a one-way function, so there is no SHA-256 decoder or decryption key that restores the original text. Someone can only guess a possible input, hash it, and compare the result. That can expose short or predictable values, but it does not reverse the algorithm.

MD5 produces 128 bits and SHA-1 produces 160 bits; both have practical collision attacks and should not protect security-sensitive data. SHA-256 produces 256 bits and has no known practical collision or preimage attack. Use the exact algorithm required by the protocol or published checksum, and prefer SHA-256 or a modern alternative for new designs.

Do not store passwords with raw SHA-256. It is deliberately fast, which also makes large-scale password guessing fast. Use a maintained implementation of Argon2id, scrypt, bcrypt, or PBKDF2 with a unique random salt and an appropriately configured work factor.

The SHA-256 calculation runs locally in your browser through the Web Crypto API; the text is not sent to the server for hashing. Avoid placing secrets into any website on a device or browser you do not trust.

The two tools are probably hashing different bytes. Check letter case, leading or trailing spaces, tabs, line endings, Unicode normalization, and whether the other tool expects plain text, hex, Base64, or a file. This generator interprets the input as text and encodes it as UTF-8 before hashing.

This page hashes text entered in the input field; it does not read uploaded files. Pasting a filename hashes the filename itself, not the file contents. To verify a download, use a file checksum utility that reads the file bytes and compare its SHA-256 output with a checksum from a trusted source.

Hash the exact original text with SHA-256 and compare all 64 hexadecimal characters with the expected digest. Matching values show that the input bytes are the same with extremely high confidence. For protection against a malicious change, the expected hash must come from a trusted source; otherwise an attacker could replace both the data and its hash.

No. Encryption is reversible with a key, while SHA-256 creates a one-way digest without a key. HMAC-SHA-256 combines SHA-256 with a secret key to authenticate a message. Use HMAC when recipients share a secret and must detect deliberate tampering; a plain hash alone cannot prove who created the message.
Related tools

HMAC Generator

Generate an HMAC from text with a secret key in your browser.

All Hashing & Password Security →