What Is a Cryptographic Hash? SHA-256 Explained Simply

What Is a Hash Function?

A hash function takes any input — a word, a document, an entire hard drive — and produces a fixed-length output called a hash, digest, or fingerprint. SHA-256, for example, always produces a 256-bit (64 hexadecimal character) output, regardless of whether the input is one byte or one gigabyte.

Hash functions are not new — checksums like CRC32 have existed for decades. What makes a hash function cryptographic is a set of four specific mathematical properties that make it suitable for security applications.

The Four Properties of a Cryptographic Hash

1. Deterministic

The same input always produces the same output. SHA-256 of "hello" is always 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824, everywhere, every time.

2. Avalanche effect

Changing even a single bit of the input produces a completely different output — not a similar one. SHA-256 of "hello" and SHA-256 of "Hello" share no visible pattern. This prevents attackers from learning anything about the relationship between inputs by comparing their hashes.

3. Pre-image resistance

Given a hash output, it must be computationally infeasible to find any input that produces it. A hash is a one-way function: easy to compute forward, essentially impossible to reverse. This is why hashes can safely represent passwords — even if the hash database is stolen, recovering the original passwords requires enormous computation.

4. Collision resistance

It must be computationally infeasible to find two different inputs that produce the same hash output. A collision would mean two different files have identical fingerprints — breaking the assumption that a hash uniquely identifies content.

The SHA Family: A History of Breaking Things

The Secure Hash Algorithm family was developed by the NSA and standardized by NIST:

• SHA-0 (1993): Withdrawn almost immediately after publication due to an undisclosed flaw.
• SHA-1 (1995): 160-bit output. Widely adopted. In 2017, Google and CWI Amsterdam produced the first known SHA-1 collision (the SHAttered attack) — two different PDF files with identical SHA-1 hashes. SHA-1 is now deprecated for most uses.
• SHA-2 (2001): A family including SHA-256, SHA-384, and SHA-512. As of 2024, no practical collisions are known. SHA-256 and SHA-512 are the current standards for most security applications.
• SHA-3 (2015): A completely different internal design (Keccak sponge construction) selected through an open competition. Provides an alternative if SHA-2 is ever broken.

MD5, an older algorithm, was broken in 2004 by Xiaoyun Wang — practical collisions can now be produced in seconds on a laptop. MD5 should not be used for any security purpose.

Common Uses for Cryptographic Hashes

• File integrity verification: Software download pages publish SHA-256 hashes so you can verify a downloaded file has not been tampered with or corrupted in transit.
• Password storage: Databases store hashes of passwords, not plaintext. When you log in, the system hashes your entered password and compares it to the stored hash. (A plain hash is insufficient — use bcrypt or Argon2 which add salt and computational cost.)
• Digital signatures: Signing a hash of a document is mathematically equivalent to signing the document itself, but much faster.
• Git commit IDs: Every Git commit is identified by the SHA-1 (now transitioning to SHA-256) hash of its contents, parent commit, and metadata.
• Blockchain: Each block contains the hash of the previous block, forming a chain where altering any block changes all subsequent hashes.

Length Extension Attacks: A SHA-256 Vulnerability

SHA-256 (and SHA-512) are vulnerable to a length extension attack: given SHA-256(key || message), an attacker who knows the hash and the message length can compute SHA-256(key || message || extension) without knowing the key. This breaks a naive approach to HMAC construction.

The solution is to use HMAC (Hash-based Message Authentication Code) when you need a keyed hash — HMAC's construction is specifically designed to prevent length extension attacks. Alternatively, SHA-3 is not vulnerable to length extension by design.

For password storage, never use a raw SHA-256 hash. Use a purpose-built password hashing function: bcrypt, scrypt, or Argon2id. These add a random salt (preventing precomputed attacks) and are deliberately slow (increasing the cost of brute-force attacks), making them far more appropriate for the purpose.