Can the SHA-256 hash of Hello, World! be reversed?

No. SHA-256 is a one-way function. Given the hash dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f, there is no algorithm that recovers the input. The only practical approach is a preimage attack (trying many inputs and checking if any produce the same hash), which is computationally infeasible for SHA-256. This property is called preimage resistance.

How collision-resistant is SHA-256?

SHA-256 produces a 256-bit output, so the number of possible hashes is 2^256, a number with 77 digits. A birthday attack (finding any two inputs that collide) would require roughly 2^128 operations. No collision has ever been found for SHA-256. MD5 and SHA-1, by contrast, have known practical collision attacks and are considered broken for security purposes.

What is the difference between SHA-256 and MD5?

MD5 produces a 128-bit (32 hex character) hash; SHA-256 produces a 256-bit (64 hex character) hash. More importantly, MD5 is cryptographically broken: practical collision attacks exist, meaning two different inputs can be crafted to produce the same MD5 hash. SHA-1 is also compromised. For any security-sensitive use, SHA-256 (or SHA-3) is the correct choice.

Does Git use SHA-256?

Git has historically used SHA-1 to identify commits, trees, and blobs. Since SHA-1 is cryptographically broken, Git has been transitioning to SHA-256 object format (enabled with git init --object-format=sha256). However, most existing repositories still use SHA-1, and SHA-256 repositories are not yet interoperable with SHA-1 remotes in all toolchains.

SHA-256 Hash of "Hello, World!": Hash Generator

SHA-256 Hash of “Hello, World!”

The SHA-256 hash of Hello, World! is:

dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f

That is 64 hexadecimal characters representing 256 bits. You can verify this in any environment:

# Terminal (macOS/Linux)
echo -n "Hello, World!" | sha256sum

# macOS alternative
echo -n "Hello, World!" | shasum -a 256

# Python
import hashlib
hashlib.sha256(b"Hello, World!").hexdigest()

# Node.js
const crypto = require('crypto');
crypto.createHash('sha256').update('Hello, World!').digest('hex');

All should return dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f. If you get a different result, check for a trailing newline. echo without -n appends one, changing the input and the hash.

What SHA-256 Actually Does

SHA-256 is part of the SHA-2 family, standardized by NIST in 2001. It takes an input of arbitrary length and produces a fixed 256-bit output. The algorithm works in several stages:

Pre processing

The input is padded so its length is congruent to 448 mod 512 bits. A 64-bit representation of the original message length is appended. This ensures the total length is a multiple of 512 bits.

Message schedule

The padded input is split into 512-bit blocks. Each block is expanded into 64 32-bit words using bitwise operations (XOR, right shifts, rotations).

Compression

A compression function runs 64 rounds on the current hash state using the 64 words plus 64 round constants derived from the fractional parts of the cube roots of the first 64 prime numbers. The state is eight 32-bit variables (a through h) initialized from the fractional square roots of the first 8 primes.

Final hash

After processing all blocks, the eight state variables are concatenated to produce the 256-bit output.

Four Properties That Matter

Deterministic

The same input always produces the same hash. Hello, World! is always dffd6021.... This makes hashes useful as stable identifiers.

Fixed length output

A single character and a 10 GB file both produce a 256-bit hash. This property makes hashing useful for comparing files without comparing their content byte by byte.

Avalanche effect

Changing a single bit in the input completely changes the output. Hello, World! and Hello, World? produce hashes that share almost no bits. This means you cannot infer anything about the input from small changes in the hash.

Preimage resistance

Given a hash, you cannot work backwards to find the input. This is the foundation of how password hashing (at a high level) and digital signatures work.

Where SHA-256 Is Used

File integrity verification

When you download software, the project often publishes a SHA-256 checksum alongside the binary. You hash the downloaded file and compare. If they match, the file has not been tampered with in transit.

sha256sum downloaded-file.tar.gz
# compare against the published checksum

Bitcoin

Bitcoin’s proof of work algorithm requires miners to find a nonce such that SHA-256(SHA-256(block_header)) produces a hash below a target value. The double SHA 256 construction was chosen by Satoshi Nakamoto to defend against length extension attacks, which affect single SHA-256.

TLS certificate verification

X.509 certificates are signed with a hash of their content. SHA-256 is the standard for certificate signatures; SHA-1 was deprecated and removed from trusted certificate authorities around 2017.

HMAC construction

HMAC-SHA-256 uses SHA-256 as the underlying hash in a message authentication code. It is used in JWT signature verification (HS256), AWS request signing, and many API authentication schemes.

Git object storage

Git stores every file, directory tree, and commit as a content addressed object. The object’s SHA (historically SHA-1, transitioning to SHA-256) is computed from its content and used as both the storage key and the integrity check.

SHA-256 Is Not Enough for Password Storage

SHA-256 is fast, intentionally so. For file integrity and digital signatures, speed is desirable. For password hashing, it is a liability. An attacker with a GPU can compute billions of SHA-256 hashes per second, making brute force and dictionary attacks against a SHA-256 hashed password database practical.

Use a purpose built password hashing function instead:

bcrypt: deliberately slow, with a configurable cost factor. The standard choice for most web applications.
Argon2: winner of the Password Hashing Competition (2015). Configurable memory and CPU cost, resistant to GPU attacks. Prefer argon2id variant.
scrypt: memory hard like Argon2, used by some cryptocurrencies.

These functions include a per user random salt (preventing rainbow table attacks) and are designed to be tuned slower as hardware improves.

If you are storing passwords, do not use SHA-256 directly, not even with a salt. Use bcrypt or Argon2.

Comparing SHA-256 to SHA-1 and MD5

Algorithm	Output length	Status
MD5	128 bits (32 hex chars)	Broken. Practical collision attacks exist
SHA-1	160 bits (40 hex chars)	Broken. SHAttered attack (2017) demonstrated a practical collision
SHA-256	256 bits (64 hex chars)	Secure. No known weaknesses
SHA-3-256	256 bits (64 hex chars)	Secure. Different internal structure (Keccak sponge)

MD5 and SHA-1 are still used in non security contexts (checksums for error detection, legacy system identifiers) where collision resistance does not matter. For any context where an attacker might try to produce two inputs with the same hash (certificate fraud, file substitution, signature forgery), only SHA-256 or stronger should be used.