The 25-year-old recipe that your phone, your bank, and the entire internet still use every single day.
The big idea
Imagine a factory. You can throw anything into it — a letter, a book, a whole movie. It always spits out a code that's exactly 64 characters long. Always the same length, no matter what you put in. And the same thing in always gives you the same code out.
Say your friend sends you a photo. How do you know nobody changed it along the way? You both run it through the factory. If you get the same 64-character code, the photo is exactly what your friend sent. If even one pixel changed, the code would be completely different.
Fun fact
SHA stands for "Secure Hash Algorithm." The 256 means it makes a code that's 256 bits long — that's the 64 characters. It was created in 2001 by mathematicians working with the US government.
How it works
SHA-256 takes your data and chops it into small pieces — like cutting a long piece of paper into equal strips. Then it takes the first strip, scrambles it with a secret recipe of math, and passes the result to the next strip. That strip gets scrambled with the result from the first one. And so on, one after another, like a chain.
How SHA-256 processes data
Each block waits for the one before it. One at a time, like a chain — no shortcuts.
Because each piece depends on the one before it, SHA-256 can only work on one piece at a time. Even if your phone has 6 super-fast workers (cores), only one of them can do the hashing. The others just sit and wait. This made sense in 2001 when phones had one core. Today, it's a bottleneck.
Where you'll find it
See the lock icon in your browser? That's SHA-256 checking that the website is real and nobody tampered with the connection.
When you log in, your phone doesn't send your password — it sends the hash. The website checks if the hash matches. Even if hackers steal the database, they get hashes, not passwords.
Every Bitcoin transaction is verified with SHA-256. Miners around the world do trillions of SHA-256 calculations every second trying to find the next block.
iMessage, Signal, and WhatsApp all use SHA-256 to make sure your encrypted messages haven't been changed along the way.
When you download an app, your phone checks its SHA-256 fingerprint to make sure it's the real thing — not a fake with a virus inside.
Fun fact
SHA-256 runs trillions of times every single day across all the world's devices. It's probably the most-used algorithm in human history — and it was designed before YouTube existed.
The big question
SHA-256 is like a castle that the world's smartest attackers have been trying to break into for 25 years. Nobody has succeeded. Not a single real-world attack. That's incredibly impressive — most security tools show cracks much sooner.
The castle is still standing, but the design has some quirks. SHA-256 has a weakness called a "length extension attack" — it's like if someone could add extra rooms to your castle without having the key. Modern hash functions like BLAKE3 were designed without this flaw from the start.
| SHA-256 | |
|---|---|
| Age | 25 years (2001) |
| Broken? | Never |
| Speed | Fast with special hardware |
| Uses all your cores? | No — one at a time |
| Government approved? | Yes (NIST/FIPS certified) |
The takeaway
SHA-256 is like a really good lock that every building in the world uses. Nobody has ever picked it. But newer locks are faster to use, easier to install, and have fewer quirks. The world keeps using SHA-256 because changing every lock on every building is hard — not because it's the best lock available.