What Is the SHA-256 Hash of "password"?
The SHA-256 hash of "password" is 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8. NEVER use SHA-256 alone for passwords -- use bcrypt or Argon2. SHA-256 is too fast: modern GPUs compute billions of hashes per second, making brute-force attacks trivial for common passwords.
Why SHA-256 Fails for Passwords
| Algorithm | Speed (hashes/sec) | Time to crack "password" |
|---|---|---|
| SHA-256 | ~10 billion (GPU) | < 1 second |
| bcrypt (10 rounds) | ~10,000 (GPU) | Dictionary dependent |
| Argon2id | ~1,000 (GPU) | Dictionary dependent |
What to Use Instead
// Node.js — bcrypt
const bcrypt = require('bcrypt');
const hash = await bcrypt.hash('password', 12);
// Python — Argon2
from argon2 import PasswordHasher
ph = PasswordHasher()
hash = ph.hash('password')Verify the SHA-256 Hash
// Node.js
require('crypto').createHash('sha256').update('password').digest('hex');
// "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"Try It Yourself
Use our SHA-256 Hash Generator to hash any string, or our Bcrypt Generator for proper password hashing.
Frequently Asked Questions
Why is SHA-256 not suitable for password hashing?
SHA-256 is designed to be fast. Modern GPUs compute billions of SHA-256 hashes per second, making brute-force and dictionary attacks trivial. Password hashing algorithms like bcrypt and Argon2 are intentionally slow and use salt.
What should I use instead of SHA-256 for passwords?
Use bcrypt (10-12 rounds), Argon2id (recommended by OWASP), or scrypt. These algorithms are intentionally slow, use salt, and are resistant to GPU-based attacks.