When a database is breached, the first question is always the same: are the hashed passwords safe? The answer depends entirely on how those hashes were generated. SHA-256 itself cannot be decrypted — it is a one-way cryptographic hash function, not an encryption algorithm. But "cannot be decrypted" is not the same as "cannot be cracked."
What is SHA-256
SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function from the SHA-2 family, developed by the NSA and published by NIST in 2001 under FIPS 180-4. It takes an input of any length and produces a fixed 256-bit (32-byte) output — the hash, or digest. The output always looks random, and the same input always produces the same output.
SHA-256 is not an encryption algorithm. It has no key, and its output cannot be reversed. Its job is to produce a unique fingerprint of a piece of data — not to protect that data for later retrieval.
Three properties define its security:
- Preimage resistance. Given a hash, you cannot find the original input.
- Collision resistance. You cannot find two different inputs that produce the same hash.
- Avalanche effect. A single-bit change in the input flips roughly half the output bits, making the result completely unpredictable.
SHA-256 is used in TLS certificates, code signing, Git commit integrity, Bitcoin's proof-of-work mechanism, and (when combined with proper key derivation) password storage. It is one of the most widely deployed cryptographic primitives in production systems today.
Hashing vs. encryption: Why SHA-256 cannot be decrypted
SHA-256 is a cryptographic hash function — a one-way transformation. Encryption is a two-way operation: you encrypt data with a key, and you decrypt it with a key. Hashing has no key and no reverse path. Given a SHA-256 digest, there is no mathematical operation that recovers the original input.
The property that makes this possible is called preimage resistance: it must be computationally infeasible to find any input m such that SHA256(m) = h for a given hash h. A related property, the avalanche effect, means that changing a single bit in the input flips roughly half of the output bits — making it impossible to "work backwards" by making small adjustments.
| Property | Hashing (SHA-256) | Encryption (AES / RSA) |
|---|---|---|
| Direction | One-way | Two-way |
| Key required | No | Yes |
| Reversible | No | Yes (with key) |
| Output size | Fixed (256 bits) | Variable |
| Primary use | Integrity verification, password storage | Confidentiality |
The distinction matters in practice. If a developer stores passwords using AES encryption rather than hashing, a breach of the encryption key exposes every password in the database. A hash has no key to steal.
How the SHA-256 algorithm works (step-by-step)
SHA-256 is defined in NIST FIPS 180-4 and belongs to the SHA-2 family. It processes input of any length and produces a deterministic 256-bit output. The core structure is the Merkle-Damgård construction: the message is split into fixed-size blocks, each block is processed through a compression function, and the outputs are chained together.
Step 1. Preprocessing and padding
The input message is padded so its total length is a multiple of 512 bits. Padding always begins with a 1 bit, followed by enough 0 bits, followed by a 64-bit representation of the original message length. This step is mandatory even if the message already fits neatly — the algorithm must always know where the message ends.
Step 2. Message scheduling
The padded message is parsed into 512-bit blocks. Each block is divided into sixteen 32-bit words. Those sixteen words are then expanded into a 64-word message schedule using a mix of bitwise rotations and XOR operations. This expansion ensures that every bit of the original input influences the compression step.
Step 3. The compression function
This is where the work happens. SHA-256 maintains eight 32-bit working variables (a through h), initialized to constants derived from the fractional parts of the square roots of the first eight prime numbers. Over 64 rounds, these variables are updated using bitwise AND, OR, XOR, and NOT operations, plus modular addition. Two non-linear functions — Ch(e, f, g) and Maj(a, b, c) — introduce complexity that makes the relationship between input and output opaque. After all 64 rounds, the working variables are added back to the initial values for that block.
Step 4. Final output
After all blocks are processed, the eight working variables are concatenated to produce the final 256-bit digest. The same input always produces the same output. Any change to the input — even a single character — produces a completely different hash.
If SHA-256 can't be decrypted, how do hackers crack it?
SHA-256 is mathematically sound. The algorithm itself has no known practical weaknesses after more than two decades of cryptanalysis. What fails is not the algorithm — it is the way passwords are stored using it.
Brute-force attacks
A brute-force attack does not reverse the hash. It guesses. The attacker hashes candidate passwords (dictionary words, common patterns, character combinations) and compares the output against the stolen hash. If the hashes match, the password is found. The speed of SHA-256 is the problem here: a single Nvidia RTX 4090 GPU can calculate approximately 164 billion SHA-256 hashes per second (Specops Software, 2025). At that rate, an eight-character lowercase password is cracked in seconds.
Rainbow table attacks
A rainbow table is a precomputed database of hash-to-plaintext mappings. Rather than hashing on the fly, the attacker looks up the stolen hash in the table and reads off the original password. Tables for common password formats can be generated in advance and reused across multiple breaches. Collision resistance — the property that no two inputs should produce the same hash — is not what rainbow tables exploit. They exploit the fact that common passwords produce predictable, repeatable hashes.
Both attacks share a single prerequisite: the hash must be unsalted. Add a salt, and both attacks become dramatically more expensive.
Why plain SHA-256 is bad for password storage
SHA-256 was designed to be fast. For its intended uses — verifying file integrity, signing certificates, securing blockchain transactions — speed is a feature. For password storage, speed is a liability.
The problem: SHA-256 is too fast
At 164 billion hashes per second on consumer hardware, an attacker can exhaust the entire space of eight-character passwords containing uppercase, lowercase, digits, and symbols in under an hour. OWASP's Password Storage Cheat Sheet is explicit: "Fast hashing algorithms such as SHA-256 are not suitable for password storage because they allow attackers to perform large numbers of guesses quickly."
Solution 1: Salting
A salt is a unique, randomly generated string appended to each password before hashing. SHA256("password") always produces the same hash. SHA256("password" + "x7kQ2mNp") produces a completely different one — and every user gets a different salt. This defeats rainbow tables entirely: the attacker cannot precompute hashes for salted inputs without knowing each user's salt. It also means two users with the same password end up with different hashes in the database.
Solution 2: Key stretching with PBKDF2
Salting defeats precomputed lookups, but it does not slow down brute-force attacks. That requires key stretching. PBKDF2 (Password-Based Key Derivation Function 2) applies a pseudorandom function — typically HMAC-SHA-256 — thousands of times in sequence. Each iteration takes time. The attacker's 164 billion hashes per second drops to a fraction of that when each "guess" requires 600,000 iterations.
OWASP recommends PBKDF2 with HMAC-SHA-256 and at least 600,000 iterations for FIPS-140 compliance. Argon2id is the preferred choice where FIPS compliance is not required, as it also adds memory hardness.
Plain SHA-256 vs. PBKDF2-HMAC-SHA256: password storage security comparison
| Property | Plain SHA-256 | PBKDF2-HMAC-SHA256 (600,000 iterations) |
|---|---|---|
| Hashes per second (RTX 4090) | ~164,000,000,000 | ~273 |
| Time to crack 8-char password (all printable ASCII) | < 1 hour | > 200 years |
| Defeats rainbow tables | No (without salt) | Yes (unique salt per user) |
| Defeats brute force | No | Yes (computationally infeasible) |
| FIPS-140 compliant for password storage | No | Yes |
| OWASP recommended | No | Yes |
| Suitable for file integrity / checksums | Yes | No (too slow by design) |
Is SHA-256 vulnerable to quantum computers?
Grover's algorithm gives a quantum computer a quadratic speedup on unstructured search problems. Applied to SHA-256, it reduces the effective security from 2²⁵⁶ operations to 2¹²⁸ operations. That sounds alarming until you consider the scale: 2¹²⁸ is approximately 3.4×10³⁸. A quantum computer running at 10 billion operations per second would need roughly 3.4×10²⁸ years to exhaust half the search space — orders of magnitude longer than the age of the universe.
Shor's algorithm, which breaks RSA and elliptic-curve cryptography by factoring large integers efficiently, does not apply to hash functions. SHA-256's security is not based on integer factorization.
NIST is actively standardizing post-quantum algorithms (FIPS 203, 204, 205 were finalized in 2024), primarily targeting asymmetric cryptography. SHA-256 is not on the replacement list for the foreseeable future. The practical threat to SHA-256 from quantum computing remains theoretical.
How enterprise password managers use cryptography securely
Enterprise password managers that follow zero-knowledge principles apply the same cryptographic building blocks covered in this article (SHA-256, PBKDF2, HMAC, AES-256) but combine them into a layered architecture where the server never holds plaintext data or the keys to decrypt it. The security guarantee comes from the design, not from trusting the server.
The Passwork two-level encryption model
Knowing that plain SHA-256 is insufficient for password storage is one thing. Implementing the correct alternative across an enterprise is another. This is where the architecture of the tool matters as much as the algorithm.
Passwork is built on a zero-knowledge architecture: the server never holds enough information to decrypt user data. The master password never leaves the user's device. All cryptographic keys are generated client-side. The server stores only encrypted data and encrypted keys — decryption is only possible on the client.
The encryption chain works as follows, as documented in Passwork's cryptography overview:
- Master password (entered by the user) → PBKDF2 with SHA-256, 300,000 iterations
- Master key (512 bits) → AES-256-CBC
- Private RSA key (2048 bits, RSA-OAEP)
- Vault key (256 bits) → AES-256-CBC
- Record key (256 bits) → AES-256-CBC
- Record data (passwords, secrets, files — encrypted at rest)
On the server side, a separate AES-256-CFB layer encrypts the database independently. Every record is double-encrypted: once by the client before it leaves the device, once by the server before it is written to disk.
PBKDF2 at 300,000 client-side iterations aligns with NIST's recommendations (≥310,000 for SHA-256) and exceeds the OWASP minimum for most deployment contexts. The server-side PBKDF2 runs at 600,000 iterations — meeting the FIPS-140 threshold directly.
This architecture means that a database breach yields nothing actionable. An attacker who exfiltrates the database gets AES-256-encrypted blobs derived from keys that were never stored on the server.
Conclusion
SHA-256 is theoretically unbreakable. The algorithm has survived over two decades of cryptanalysis without a practical attack. But the algorithm is only as strong as its implementation. Store passwords as plain SHA-256 hashes, and a single GPU can test billions of candidates per second. Add a salt and apply PBKDF2 with sufficient iterations, and the same hardware becomes useless against your database.
The gap between "SHA-256 is secure" and "our passwords are secure" is filled by correct implementation — salting, key stretching, and a zero-knowledge architecture that ensures the server never holds the keys needed to decrypt user data.
If your team manages corporate credentials, Passwork protects them through zero-knowledge architecture, client-side AES-256 encryption, and PBKDF2 key stretching at 300,000 iterations — so a server compromise exposes nothing actionable. Passwork is available both as a self-hosted deployment for organizations that require full infrastructure control, and as a cloud solution for teams that want the same cryptographic guarantees without managing their own servers.
FAQ: SHA-256 explained
Can you decrypt SHA-256?
No. SHA-256 is a one-way cryptographic hash function. There is no key, no reverse algorithm, and no mathematical operation that recovers the original input from a hash. What attackers can do is guess — by hashing candidate passwords and comparing the output. That is cracking, not decryption, and it only works against weak or unsalted hashes.
What is the difference between SHA-256 hashing and encryption?
Encryption is reversible with the correct key. Hashing is not reversible under any circumstances. SHA-256 takes an input of any length and produces a fixed 256-bit output. The same input always produces the same output, but the process cannot be run in reverse. Encryption preserves the ability to recover the original data; hashing deliberately destroys it.
What is the avalanche effect in SHA-256?
The avalanche effect means that a single-bit change in the input flips approximately half of the output bits. Change one character in a password, and the resulting SHA-256 hash looks completely unrelated to the original. This property prevents attackers from using partial knowledge of an input to narrow down the hash search space.
What is PBKDF2 and why does it matter for password security?
PBKDF2 (Password-Based Key Derivation Function 2) applies a pseudorandom function — typically HMAC-SHA-256 — iteratively to a password and salt. Each iteration adds computational cost. At 600,000 iterations, the time required per guess increases by a factor of 600,000 compared to a single SHA-256 hash. This makes brute-force attacks against properly stored passwords impractical even with GPU-scale hardware.
Is SHA-256 vulnerable to quantum computing attacks?
Not practically. Grover's algorithm reduces SHA-256's effective security from 2²⁵⁶ to 2¹²⁸ operations. At 2¹²⁸, even a hypothetical quantum computer running at 10 billion operations per second would require more time than the age of the universe to exhaust the search space. NIST's post-quantum cryptography standardization effort targets asymmetric algorithms, not SHA-256.
What is the Merkle-Damgård construction?
The Merkle-Damgård construction is the structural framework underlying SHA-256. The input message is divided into 512-bit blocks. Each block is processed through a compression function that takes the current block and the output of the previous block as inputs. The outputs are chained sequentially, so the final hash depends on every bit of the entire input message.
Alex Muntyan
Alex Muntyan
Alex Muntyan
Table of contents
- What is SHA-256
- Hashing vs. encryption: Why SHA-256 cannot be decrypted
- How the SHA-256 algorithm works (step-by-step)
- If SHA-256 can't be decrypted, how do hackers crack it?
- Why plain SHA-256 is bad for password storage
- Is SHA-256 vulnerable to quantum computers?
- How enterprise password managers use cryptography securely
- Conclusion
- FAQ: SHA-256 explained
Table of contents
- What is SHA-256
- Hashing vs. encryption: Why SHA-256 cannot be decrypted
- How the SHA-256 algorithm works (step-by-step)
- If SHA-256 can't be decrypted, how do hackers crack it?
- Why plain SHA-256 is bad for password storage
- Is SHA-256 vulnerable to quantum computers?
- How enterprise password managers use cryptography securely
- Conclusion
- FAQ: SHA-256 explained
Self-hosted password manager for business
Passwork provides an advantage of effective teamwork with corporate passwords in a totally safe environment. Double encryption and zero-knowledge architecture ensure your passwords never leave your infrastructure.
Learn more