Question 1

Is SHA-256 still considered secure?

Accepted Answer

Yes. SHA-256 has no known practical collision or preimage attacks and is the recommended secure default for general-purpose hashing — it's used by TLS, Bitcoin, Git, JWTs, and most code-signing infrastructure. NIST and other standards bodies continue to recommend it (alongside SHA-512 and SHA-3) for new systems.

Question 2

SHA-256 vs SHA-512 — which should I pick?

Accepted Answer

Both are secure. SHA-512 is actually faster on 64-bit CPUs because it operates on 64-bit words, but it produces a longer 128-character hex digest. Pick SHA-256 for compatibility (it's the de facto standard) and SHA-512 if you want a larger output or are running on 64-bit-only hardware. SHA-384 is a truncated SHA-512 — useful when you want length-extension resistance with a shorter digest.

Question 3

Can I use SHA-256 to store passwords?

Accepted Answer

Not directly — SHA-256 is too fast. An attacker with a stolen hash can compute billions of guesses per second on a GPU. For password storage, use a slow key-derivation function like Argon2id, bcrypt, scrypt, or PBKDF2 (which uses SHA-256 internally as a primitive). The KDF adds cost factors that make brute-force impractical.

Question 4

Does my text get uploaded anywhere?

Accepted Answer

No. The hash is encoded right in your browser via crypto.subtle.digest from the Web Crypto API. You can verify by opening DevTools' Network tab — no requests are made when you generate a hash. The page itself was loaded once; everything after that is local.

Question 5

What's the output length of a SHA-256 hash?

Accepted Answer

Always 256 bits, which is 32 bytes, which is 64 hexadecimal characters. The length is fixed regardless of input size — hashing one character or a one-gigabyte file both yield a 64-character hex string.

SHA-256 Generator

What is SHA-256 and when should you use it?

About SHA-256

Frequently asked questions

Related tools