SHA-256 checksum generator

Hash text or files with SHA-256 — free, instant, entirely in your browser. Nothing you type or drop is uploaded anywhere.

drop a file here or browse any size · read locally, never uploaded
SHA-256

the hash appears here — type above or drop a file


What SHA-256 is

SHA-256 is the 256-bit member of the SHA-2 family, standardized by NIST in FIPS 180-4. It turns any input — a password, a sentence, a whole disk image — into a fixed 64-character hexadecimal fingerprint. Change one bit of the input and the output changes beyond recognition, which is what makes it useful: if two SHA-256 values match, the underlying data is the same, byte for byte.

It's the default integrity check of the modern internet. Linux distributions publish SHA-256 checksums next to their ISOs, TLS certificates and code signing lean on it, and git is migrating toward it. When a download page says just "checksum" or "hash" without naming an algorithm, it's usually this — a 64-character string is the tell (the hash identifier can confirm).

How to verify a download

  1. Find the published checksum on the project's official page — not the mirror you downloaded from. It looks like a1b2c3…, 64 characters.
  2. Drop the downloaded file into the tool above (or use the dedicated verify tool, which auto-detects the algorithm).
  3. Paste the published value into the compare field. You'll get a clear ✓ match or ✗ mismatch — no eyeballing 64 characters.
  4. On a mismatch: re-download first; most failures are truncated transfers. A repeat mismatch means don't run the file.

Prefer the terminal? Step-by-step guides: Windows (certutil), macOS (shasum), Linux (sha256sum). Many files at once? The batch tool reads and writes SHA256SUMS files.

Security status: solid

As of 2026 there is no practical collision or preimage attack against SHA-256 — unlike MD5 (collisions since 2004) and SHA-1 (since 2017), which survive only for corruption-checking. The one theoretical wart, length extension, doesn't affect checksums; when you need a keyed hash, that's what HMAC is for. Choosing between SHA-256 and its bigger sibling? See SHA-256 vs SHA-512.

Hashing text: mind the invisible characters

Text is hashed as UTF-8, exactly as typed. A trailing newline changes everything — echo hello | sha256sum appends one, which is why it disagrees with this page; printf hello | sha256sum matches. If a text hash "should" match and doesn't, suspect a newline, a stray space, or smart quotes before suspecting the math.

questions

Is SHA-256 still secure in 2026?

Yes. No practical collision or preimage attack is known, and it remains a NIST-approved standard (FIPS 180-4). It's what most projects publish next to downloads, and what TLS and code signing rely on.

Can two different files have the same SHA-256 checksum?

In theory yes; in practice nobody has ever found two inputs sharing a SHA-256, and the odds of stumbling on one are far below one in a trillion trillion. A matching checksum is treated as proof of identical content.

Does it matter if the hash is uppercase or lowercase?

No. Hex is case-insensitive: 2CF24DBA… equals 2cf24dba…. This page outputs lowercase with an uppercase toggle, and the compare field ignores case.

What is the SHA-256 of an empty string?

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 — every correct implementation returns exactly this for zero-byte input. It's a handy sanity check.

How do I check a file I downloaded against a published SHA-256?

Paste the published hash into the compare field on this page and drop the file — or use the dedicated verify tool, which auto-detects the algorithm. Prefer the terminal? See the guides for Windows, macOS and Linux.