SHA-256 is a cryptographic hash function in the SHA-2 family, designed by the U.S. National Security Agency (NSA) and standardized by NIST in FIPS 180-4 in 2012. It takes any input — from an empty string to multi-gigabyte files — and produces a fixed 256-bit (64-character hexadecimal) digest.
The algorithm processes input in 512-bit (64-byte) blocks through 64 rounds of mixing. It maintains an 8-word internal state (A through H) initialized to constants derived from the square roots of the first eight primes. Each round applies bitwise rotations, XOR, addition and the two non-linear functions Ch (choose) and Maj (majority). Round constants come from the cube roots of the first 64 primes, giving the algorithm strong avalanche properties: a one-bit change in the input flips roughly half the output bits.
As of 2026 there are no known practical collision or pre-image attacks against full 64-round SHA-256. The best published cryptanalysis reaches partial collisions on reduced-round variants. Collision resistance is on the order of 2^128 operations — far beyond any realistic adversary — making SHA-256 safe for TLS certificate signatures, Bitcoin's proof-of-work, file integrity verification and content addressing in systems like IPFS and modern Git.
The one thing SHA-256 is not designed for is password storage. Because it is a fast hash (a modern GPU computes billions of digests per second), an attacker who steals a database of SHA-256 password hashes can brute-force common passwords quickly. For passwords, use a slow, salted KDF such as Argon2id, scrypt or bcrypt. For everything else, SHA-256 is the modern default.
SHA-256 is standardized as FIPS 180-4 by NIST, defined in RFC 6234 by the IETF, and approved by the U.S. government for use in federal information systems. It is the recommended default in the NIST SP 800-131A Rev. 2 transition guidance, and the only hash function still accepted for new CMS, TLS 1.3 and PGP signatures.