๐ Passwords & Secrets
Bcrypt vs SHA-256: Why You Don't Hash Passwords with SHA
By Justin Le
ยท 7 min read ยท Updated June 27, 2026 "Just hash the password with SHA-256" is one of the most common โ and most dangerous โ pieces of advice in software. SHA-256 is an excellent hash function, but it's the wrong tool for storing passwords. Here's why, and what to use instead.
Hashing vs encryption (a quick reminder)
A hash is a one-way function: you can compute it, but you can't reverse it to recover the input. Storing a password's hash means that even if your database leaks, attackers don't immediately have the plain passwords. That's the right idea โ the problem is which hash, and how it's used.
The problem with SHA-256 for passwords
SHA-256 is designed to be fast. That's a feature for verifying file integrity, where you might hash gigabytes. But for passwords, speed helps the attacker. Modern hardware can compute billions of SHA-256 hashes per second. If your password database leaks, an attacker can guess billions of candidate passwords per second against it, cracking weak and medium-strength passwords almost instantly.
Worse, a plain unsalted hash means identical passwords produce identical hashes. Attackers precompute huge tables of hashes for common passwords ("rainbow tables") and simply look yours up.
What a salt does
A salt is a random value added to each password before hashing. Because every user gets a different salt, identical passwords produce different hashes, which defeats rainbow tables and forces the attacker to crack each hash individually. Salting is essential โ but on its own it doesn't fix the speed problem.
How bcrypt fixes it
Bcrypt is a password-hashing function built for this job. It does two things SHA-256 doesn't:
- It salts automatically. A random salt is generated and stored inside the hash output, so you don't manage it separately.
- It's deliberately slow, and tunable. A cost factor controls how many rounds of work each hash takes. Each increment doubles the cost. A cost of 12 might take a quarter of a second โ trivial for one login, but devastating for an attacker trying billions of guesses.
A bcrypt hash looks like $2b$12$N9qo8uLO...: the algorithm, the cost,
then the salt and hash together. Because the salt and cost live in the string, the
verifier has everything it needs to check a password later.
What about Argon2 and scrypt?
Bcrypt is a solid default, but Argon2 (the winner of the Password Hashing Competition) and scrypt are also excellent. They add memory-hardness โ they require lots of RAM, which blunts attackers using GPUs and custom hardware. If your platform supports Argon2id, it's a great choice; bcrypt remains perfectly respectable and is widely available.
Modern best practice
- Use bcrypt, scrypt or Argon2 โ never a bare SHA or MD5 โ to store passwords.
- Tune the cost so a single hash takes a noticeable fraction of a second on your hardware.
- Screen new passwords against known-breached lists rather than imposing arbitrary complexity rules.
- Add multi-factor authentication, which protects accounts even if a password is cracked.
Try it
Generate and verify bcrypt hashes โ and watch how the cost factor changes the time โ with our bcrypt generator & checker. Compare that with the instant output of the hash generator (MD5/SHA) to feel the speed difference for yourself. To define rules for your organisation, use the password policy generator.
Frequently asked questions
Can I use SHA-256 to store passwords if I add a salt?
Salting helps, but SHA-256 is still far too fast โ attackers can compute billions of guesses per second. Use a deliberately slow, salted algorithm like bcrypt, scrypt or Argon2 instead.
What is a bcrypt cost factor?
It controls how much work each hash takes; every increment doubles it. Higher cost means slower hashing, which slows attackers. A cost of 10โ12 is typical for production in 2026.
Is bcrypt or Argon2 better?
Both are good. Argon2id adds memory-hardness that resists GPU attacks and is the modern first choice where available. Bcrypt remains a solid, widely supported option.
Try the related tools
- Bcrypt Hash Generator & Checker Hash a password with bcrypt at an adjustable cost factor, or verify a password against a hash.
- Hash Generator (MD5, SHA-1, SHA-256, SHA-512) Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 digests from any text.
- Password Policy Generator Turn your password rules into a written policy plus Linux PAM and Windows config.
Related guides
- How to Create a Strong Password (and Why Length Wins) Forget swapping letters for symbols. Here's what really makes a password strong โ entropy, length, uniqueness โ and the simple system that beats memorising rules.
- What Is a UUID? v4 vs v7 Explained What a UUID actually guarantees, why collisions are a non-issue, and why v7 is quietly replacing v4 for database keys.
- What Is HTTP Basic Authentication? The simplest way to password-protect a page โ and its big caveat. How Basic Auth works, why HTTPS is mandatory, and where it fits.