SHA-256 checksum generator
Hash text or files with SHA-256 — free, instant, entirely in your browser. Nothing you type or drop is uploaded anywhere.
the hash appears here — type above or drop a file
What SHA-256 is
SHA-256 is the 256-bit member of the SHA-2 family, standardized by NIST in FIPS 180-4. It turns any input — a password, a sentence, a whole disk image — into a fixed 64-character hexadecimal fingerprint. Change one bit of the input and the output changes beyond recognition, which is what makes it useful: if two SHA-256 values match, the underlying data is the same, byte for byte.
It's the default integrity check of the modern internet. Linux distributions publish SHA-256 checksums next to their ISOs, TLS certificates and code signing lean on it, and git is migrating toward it. When a download page says just "checksum" or "hash" without naming an algorithm, it's usually this — a 64-character string is the tell (the hash identifier can confirm).
How to verify a download
- Find the published checksum on the project's official page — not the mirror you downloaded from. It looks like
a1b2c3…, 64 characters. - Drop the downloaded file into the tool above (or use the dedicated verify tool, which auto-detects the algorithm).
- Paste the published value into the compare field. You'll get a clear ✓ match or ✗ mismatch — no eyeballing 64 characters.
- On a mismatch: re-download first; most failures are truncated transfers. A repeat mismatch means don't run the file.
Prefer the terminal? Step-by-step guides: Windows (certutil), macOS (shasum), Linux (sha256sum). Many files at once? The batch tool reads and writes SHA256SUMS files.
Security status: solid
As of 2026 there is no practical collision or preimage attack against SHA-256 — unlike MD5 (collisions since 2004) and SHA-1 (since 2017), which survive only for corruption-checking. The one theoretical wart, length extension, doesn't affect checksums; when you need a keyed hash, that's what HMAC is for. Choosing between SHA-256 and its bigger sibling? See SHA-256 vs SHA-512.
Hashing text: mind the invisible characters
Text is hashed as UTF-8, exactly as typed. A trailing newline changes everything — echo hello | sha256sum appends one, which is why it disagrees with this page; printf hello | sha256sum matches. If a text hash "should" match and doesn't, suspect a newline, a stray space, or smart quotes before suspecting the math.
questions
Is SHA-256 still secure in 2026?
Yes. No practical collision or preimage attack is known, and it remains a NIST-approved standard (FIPS 180-4). It's what most projects publish next to downloads, and what TLS and code signing rely on.
Can two different files have the same SHA-256 checksum?
In theory yes; in practice nobody has ever found two inputs sharing a SHA-256, and the odds of stumbling on one are far below one in a trillion trillion. A matching checksum is treated as proof of identical content.
Does it matter if the hash is uppercase or lowercase?
No. Hex is case-insensitive: 2CF24DBA… equals 2cf24dba…. This page outputs lowercase with an uppercase toggle, and the compare field ignores case.
What is the SHA-256 of an empty string?
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 — every correct implementation returns exactly this for zero-byte input. It's a handy sanity check.
How do I check a file I downloaded against a published SHA-256?
Paste the published hash into the compare field on this page and drop the file — or use the dedicated verify tool, which auto-detects the algorithm. Prefer the terminal? See the guides for Windows, macOS and Linux.