The number is the output size in bits. SHA-256 gives you 32 bytes (64 hex characters). SHA-512 gives you 64 bytes (128 characters). That's the most visible difference, but the internal architecture is different too, and it affects which one is faster where.
Internal differences
SHA-256 uses 32-bit words and runs 64 compression rounds per block. SHA-512 uses 64-bit words and runs 80 rounds. On a modern 64-bit CPU, SHA-512 is often faster than SHA-256 per bit of output — it does roughly twice the work and produces more than twice the output. OpenSSL benchmarks on x86_64 typically show SHA-512 running 20–40% faster in throughput terms.
On 32-bit hardware, this reverses. The 64-bit arithmetic that makes SHA-512 efficient doesn't exist, so SHA-256 wins.
Security margin
Neither has a known collision attack. 256 bits of collision resistance is already past what any realistic attack can touch — you're not picking SHA-512 because SHA-256 is "weaker." You'd pick SHA-512 for output size or throughput reasons, not security ones.
| SHA-256 | SHA-512 | |
|---|---|---|
| Output size | 256 bits (32 bytes) | 512 bits (64 bytes) |
| Word size | 32-bit | 64-bit |
| Rounds per block | 64 | 80 |
| Throughput on 64-bit CPU | Good | Often 20–40% faster per bit |
| Throughput on 32-bit CPU | Faster | Slower |
When SHA-256 is the right answer
TLS certificates, Git commits, code signing, JWT signatures — these all use SHA-256 (or close relatives like SHA-384). If something else will verify your hash, that something almost certainly expects SHA-256. The spec decides, not you.
Also: password hashing. But not SHA-256 alone. It's too fast — a GPU can try billions of SHA-256 hashes per second. Use bcrypt, Argon2, or scrypt instead. Those use SHA internally, but they add the deliberate slowness that makes brute-forcing expensive. If you're here for password hashing, skip to the bcrypt tool.
When SHA-512 makes sense
If you're hashing large files on a 64-bit machine and throughput actually matters, SHA-512 is genuinely faster there. That's a real reason to choose it.
If a protocol you're implementing requires 512 bits of output, SHA-512 is the obvious choice. This is less common than people think, but it comes up.
One niche note: SHA-512/256 produces a 256-bit output using SHA-512's internal structure, which avoids length-extension attacks. Browser Web Crypto APIs don't expose it, which is why this tool only offers the two main variants.
The short answer
SHA-256 for almost everything. It's what the ecosystem expects and what specs require. SHA-512 if you need the larger output or you've benchmarked a real throughput bottleneck on 64-bit hardware and confirmed it helps. Not because SHA-256 is insecure — it isn't — but because standardizing on what everything else uses saves you from explaning yourself later.
See both in action on the SHA-256 / SHA-512 tool.