SHA-256, SHA-384, and SHA-512 Explained

SHA-256, SHA-384, and SHA-512 are members of the SHA-2 family, designed by the NSA and standardized by NIST. All three are widely used, well-analyzed, and considered secure today. They differ mainly in output size and the internal word size they operate on. This guide explains the practical differences and how to choose.

The quick comparison

• SHA-256 — 256-bit (32-byte) digest, 64 hex characters. Works on 32-bit words. The most common general-purpose hash.
• SHA-384 — 384-bit (48-byte) digest, 96 hex characters. A truncation of SHA-512 with a different initial state.
• SHA-512 — 512-bit (64-byte) digest, 128 hex characters. Works on 64-bit words.

SHA-256

SHA-256 is the workhorse of modern cryptography: TLS certificates, software signing, blockchain, file integrity, and HMAC all rely on it. Its 256-bit output offers a 128-bit collision-resistance security level, which is comfortably beyond brute force. If you have no specific reason to choose otherwise, SHA-256 is the right default.

SHA-384

SHA-384 is essentially SHA-512 with a different starting state and the output truncated to 384 bits. That truncation provides resistance to "length-extension" attacks that plain SHA-256 and SHA-512 are theoretically susceptible to (though HMAC avoids this entirely). It's a common choice in higher-assurance TLS configurations and where a 192-bit security level is specified.

SHA-512

SHA-512 produces the largest digest and, because it processes 64-bit words, is often faster than SHA-256 on modern 64-bit CPUs for large inputs — a frequent surprise. On 32-bit hardware the opposite is usually true. SHA-512 is a good fit when you want maximum margin or are already on 64-bit infrastructure.

The counterintuitive performance note

People assume a longer digest is always slower. For SHA-2 that is not reliably true: SHA-512's 64-bit operations can outperform SHA-256 on 64-bit servers. Many CPUs also include SHA-256 hardware acceleration (Intel SHA Extensions, ARMv8 crypto), which can flip the result again. If throughput matters, benchmark on your actual target hardware.

How to choose

• Default to SHA-256 for interoperability and broad hardware support.
• Use SHA-384 or SHA-512 when a standard requires a higher security level, when you want length-extension resistance via SHA-384, or when you're on 64-bit hardware processing large data.
• Match your JWT algorithm. HS256 pairs with SHA-256, HS384 with SHA-384, HS512 with SHA-512 — see our JWT guide.
• Never use any raw SHA-2 for passwords. It's too fast; use Argon2/bcrypt/scrypt instead, as explained in our hashing guide.

Compute a SHA-2 digest now

The Hashes tab supports SHA-256, SHA-384, and SHA-512 (plus SHA-1 for legacy checks) with hex, Base64, or Base64URL output and optional salting — computed locally in your browser.