How to Hash Strings with SHA-256

SHA-256 is the right default when you need a one-way fingerprint of a string. It is fast, it is widely supported, and the output is small enough to compare by eye.

1. JavaScript with the Web Crypto API

async function sha256(input) { const data = new TextEncoder().encode(input); const digest = await crypto.subtle.digest('SHA-256', data); return [...new Uint8Array(digest)] .map(b => b.toString(16).padStart(2, '0')) .join('');
}

This works in every modern browser and in Node.js. The output is a 64-character hex string.

2. Python with hashlib

import hashlib digest = hashlib.sha256('hello'.encode('utf-8')).hexdigest()

Always encode the input explicitly. hashlib raises if you pass a string without specifying encoding, which is a feature, not a bug, because hash output depends on byte representation.

3. When to use SHA-256, MD5, or SHA-1

Use SHA-256 by default. Use MD5 only for non-security checks like cache keys, file deduplication, or checksums against legacy systems that already publish MD5 values. Use SHA-1 only when interfacing with a system that requires it (Git, some certificate workflows).

4. Salt before hashing passwords

Plain SHA-256 is the wrong tool for passwords. For passwords, use a slow, salted KDF such as bcrypt, scrypt, or Argon2. The point of those is to be intentionally expensive so brute force attacks scale poorly.

When to switch to the browser tool

For ad-hoc verification, use Hash Generator. It produces MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes locally so you can compare values without writing or running code.

For more utility entry points, browse Developer Utility Tools. If you also want to verify a token signature, see Decode JWT Tokens Safely.