SHA-256 is a hashing function similar to that of SHA-1 or the MD5 algorithms. The SHA-256 algorithm generates a fixed size 256-bit (32-byte) hash. Hashing is a one way function – it cannot be decrypted back. However it can be cracked by simply brute force or comparing hashes of known strings to the hash.

Below is an example hash, this is what a SHA-256 hash of the string password looks like. Identification of these hash types is a matter of picking the length and then starting with the most common forms of these hashes.

Go ahead and test our free password recovery of a SHA-256 hash using a password dictionary and brute force matching of the resulting hash.

Background on SHA-256 Hashes

SHA-2 is a family of hashes including the popular SHA-256 and SHA-512 functions. These are generated using a similar technique however they are stronger mathematically, making brute force attacks against them more difficult. Even so, there are better encryption algorithms that can be used for modern web applications. A popular and secure method is the bcrypt function.

Cracking SHA-256 Hashes

Attacking (often referred to as cracking) SHA-256 hashes is performed using the same technique as any one-way hashing function. Computing possible matches of the original string as fast as possible to find a matching hash.

See the following chart to get an idea of the weakness in standard hashing algorithms for password storage. These show brute force attempts against a single hash. cudaHashcat is running on an NVIDIA 560 GTX GPU that is a few years old now, so consider these on the low end of what is capable.

Note the difference between hashcat and cudaHashcat against the same SHA-1 hash. You are reading that correctly MD5 hashes being brute forced at 1.8 billion per second.