How to hash a password using the SHA-256 algorithm in Python

Hashing passwords is a common way to store passwords securely in databases.

Systems that need to verify their users when they log in would need to store a list of correct passwords. However, storing passwords in plaintextData that is not encrypted or hashed, but instead is in its original form, is known as plaintext. makes the system very vulnerable. If the list of passwords accidentally falls into the hands of a person with malicious intentions, they will suddenly have access to all the user accounts.

To combat this vulnerability, storing hashes of passwords is a good way to hinder the intents of a hacker even if they are to get access to the passwords.

When a new password is created, the system calculates the hash and stores it instead of the password. Similarly, when a user enters a password to log in, the system simply needs to recompute the hash and compare that against the stored hash for verification purposes. If a hacker gets access to the list of hashes, they still can’t determine the original passwords easily.

SHA-256 hash algorithm

The SHA-256 algorithm generates a unique 256-bit cryptographic hash from the provided data. SHA-256 is considered to generate unique hashes because it is assumed to be collision-free. Realistically, this algorithm can create hashes that collide too. However, because there are a total of 22562^{256} possible hashes, it reduces the probability of a collision to almost negligible.

It should be noted that SHA-256 is not the ideal algorithm to use for hashing passwords, because its computations are very quick. Quick computation means it’s also easy for hackers to compute hashes and brute force their way to the correct password. Instead, algorithms with a slower calculation speed should be preferred, such as bcrypt or scrypt.

Hashing passwords with SHA-256

Below, we see how we can use SHA-256 to compute hashes for passwords in Python:

import hashlib
def hashPassword(password):
encoded = password.encode("utf-8")
hashed = hashlib.sha256(encoded)
return hashed.hexdigest()
if __name__ == "__main__":
password = "co#cG091!@"
print("Original password:", password)
password = hashPassword(password)
print("Hashed password:", password)

We utilize the hashlib library for our purpose, which contains the sha256 algorithm that we would like to use. The hashlib library also contains many other hashing algorithms such as md5, sha1, sha512, etc.

Encoding before applying computing the hash

On lines 3–6, we define the function hashPassword, which we utilize to hash our password. Note that we first encode the password before passing it to the hashlib.sha256 function. The reason for this is that the sha256 algorithm is unable to accept input parameters of type string. Therefore, we first need to encode our password before hashing it.

Disclaimer: In the widget below, we can see that we get a TypeError when we try to use sha256 without encoding our password.

import hashlib
def hashPassword(password):
# encoded = password.encode("utf-8")
hashed = hashlib.sha256(password)
return hashed.hexdigest()
if __name__ == "__main__":
password = "co#cG091!@"
print("Original password:", password)
password = hashPassword(password)
print("Hashed password:", password)

Extracting the hexdigest

Similarly, we do not return the result of the sha256 function in its raw form. Instead, we extract its hexdigest and return it, so that our hash is presented in hexadecimal digits.

In the widget below, we can see that we get a hash object instead of a hash when we don’t extract the hexdigest:

import hashlib
def hashPassword(password):
encoded = password.encode("utf-8")
hashed = hashlib.sha256(encoded)
return hashed
if __name__ == "__main__":
password = "co#cG091!@"
print("Original password:", password)
password = hashPassword(password)
print("Hashed password:", password)

Conclusion

In conclusion, while the SHA-256 algorithm provides a straightforward and secure method for hashing passwords, it has limitations due to its fast computation speed, which can potentially expose passwords to brute-force attacks. For applications requiring stronger password security, using algorithms like bcrypt or scrypt is recommended, as they are designed to slow down the hashing process, making it more resilient against such attacks. However, understanding SHA-256 and its application in password hashing, as outlined in this guide, is an important step in grasping how modern password security protocols are implemented and highlights the necessity of choosing the right tools for protecting sensitive user data.

Free Resources

Copyright ©2025 Educative, Inc. All rights reserved