You've seen SHA-256 mentioned in Bitcoin mining, file download verification, SSL certificates, and password storage — but what does it actually do? And why does it matter?
This article explains SHA-256 in plain English, without requiring any math or computer science background.
What Is a Hash Function?
A hash function is an algorithm that takes any input (a word, a sentence, an entire file) and produces a fixed-length output called a hash or digest. Think of it like a fingerprint — every input produces a unique fingerprint, and even a tiny change produces a completely different one.
SHA-256: 185f8db32921bd46d35f37bcb1d6c52f2d63f87b0a3f3f49e4c8a82c3b3a8e2
Input: "hello" (lowercase h)
SHA-256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
Notice how changing just one character (capital H to lowercase h) produces a completely different 64-character hash. This is called the avalanche effect.
Key Properties of SHA-256
- Deterministic: Same input always gives the same output
- One-way: You cannot reverse a hash to get the original input
- Fixed output size: Always 256 bits (64 hexadecimal characters)
- Collision resistant: Practically impossible to find two different inputs with the same hash
- Avalanche effect: A tiny change in input creates a completely different hash
Real-World Uses of SHA-256
1. File Integrity Verification
When you download software, legitimate developers provide a SHA-256 hash alongside the download. After downloading, you can hash the file yourself and compare. If the hashes match, the file hasn't been tampered with.
2. Password Storage
Websites don't (or shouldn't) store your actual password. Instead, they store the SHA-256 hash of your password. When you log in, they hash your input and compare — if the hashes match, you're authenticated. This way, even if a database is stolen, the attacker gets hashes, not passwords.
3. Bitcoin and Blockchain
Bitcoin uses SHA-256 extensively. Each block in the blockchain contains the SHA-256 hash of the previous block, creating an unbreakable chain. Mining is essentially a competition to find the input that produces a hash with a specific number of leading zeros.
4. SSL/TLS Certificates
When your browser shows a padlock (HTTPS), SHA-256 is working in the background to verify the server's identity and ensure your connection is secure.
💡 Fun fact: The number of possible SHA-256 outputs is 2^256 — a number larger than the estimated atoms in the observable universe. This is why SHA-256 is considered computationally unbreakable.
SHA-256 vs Other Hash Algorithms
- MD5: Old and broken. Can be reversed/collided. Never use for security.
- SHA-1: Also deprecated. Collision attacks exist.
- SHA-256: Current standard. Secure and widely supported.
- SHA-512: More secure than SHA-256 but slower. Produces a 128-character hash.