How to decrypt a SHA-256 encrypted string?

SHA-256 is a cryptographic (one-way) hash function, so there is no direct way to decode it. The entire purpose of a cryptographic hash function is that you can't undo it.

One thing you can do is a brute-force strategy, where you guess what was hashed, then hash it with the same function and see if it matches. Unless the hashed data is very easy to guess, it could take a long time though.

You may find the question "Difference between hashing a password and encrypting it" interesting.


It should be noted - Sha256 does not encrypt the data/content of your string, it instead generates a fixed size hash, using your input string as a seed.

This being the case - I could feed in the content of an encyclopedia, which would be easilly 100 mb in size of text, but the resulting string would still be 256 bits in size.

Its impossible for you to reverse the hash, to get that 100mb of data back out of the fixed size hash, the best you can do, is try to guess / compute the seed data, hash, and then see if the hash matches the hash your trying to break.

If you could reverse the hash, you would have the greatest form of compression to date.


SHA* is a hash function. It creates a representation (hash) of the original data. This hash is never intended to be used to recreate the original data. Thus it's not encryption. Rather the same hash function can be used at 2 different locations on the same original data to see if the same hash is produced. This method is commonly used for password verification.


You've done the correct thing by using a salt aka SSHA.

SHA and SHA-2 (or SHA-256) by itself without a salt are NOT considered secure anymore! Salting a SHA hash is called Salted SHA or SSHA.

Below is a simple example on how easily it is to de-hash SHA-1. The same can be done for SHA-2 without much effort as well.

Enter a password into this URL: http://www.xorbin.com/tools/sha1-hash-calculator Copy paste the hash into this URL: https://hashes.com/en/decrypt/hash

Here's a page which de-hashes SHA-2. The way this pages works is somebody must have hashed your password before, otherwise it won't find it: md5hashing dot net/hashing/sha256

Here's a page that claims to have complete SHA-2 tables available for download for a "donation" (I haven't tried it yet): crackstation dot net/buy-crackstation-wordlist-password-cracking-dictionary.htm

Here's a good article that explains why you have to use SSHA over SHA: crackstation dot net/hashing-security.htm