Q1What's the length of the string returned by SHA-256's hexdigest()?
hashlib — Compute Hash Values for Data
Learn hashlib.sha256's 64-char hash, three properties (determinism, avalanche effect, one-way), tamper detection, and why password storage needs bcrypt / argon2 through examples.
hashlib is a standard library module that computes a fixed-length hash value from any byte sequence. The headline algorithm SHA-256 returns a 256-bit = 64-character hex string, and is widely used wherever you want to confirm "is the content the same?" — file integrity checks, API signing, Git commit IDs, and the like.
Unlike pickle and base64, hashlib is a one-way conversion — you can't recover the input from the output. Keep in mind that it's not for "save and restore" but for "just tell me whether two inputs are the same or different".
SHA-256 — A 64-Character Hex Hash with Three Properties
| Method / Algorithm | Bit length | Use |
|---|---|---|
| hashlib.sha256(b) | 256 bit (64 hex chars) | file integrity / API signing (recommended) |
| hashlib.sha512(b) | 512 bit (128 hex chars) | when you want a longer hash |
| hashlib.md5(b) | 128 bit (32 hex chars) | collision attacks exist — don't use for new code |
| .hexdigest() | — | get the hash as a hex string |
| .digest() | — | get the hash as raw bytes |
Don't use hashlib alone to store passwords
If you store user passwords by just hashing them with sha256 or similar, they become vulnerable to precomputed lookup attacks (rainbow tables). You can defend against this with dedicated libraries that build in salt + key stretching — bcrypt / argon2 / passlib. hashlib is a fit for "is the input the same?" scenarios like file integrity checks and API signing.
Compute the SHA-256 of "Hello, Python!" and confirm the output is always a 64-character hex string.
① Import hashlib and convert the string "Hello, Python!" to bytes with UTF-8.
② Get the SHA-256 of those bytes as a hex string with hashlib.sha256(...).hexdigest().
③ Print the length of the hash as SHA-256 length: ◯ (it should be 64).
Run code to see output
Verify Determinism and the Avalanche Effect
Among hash function traits, "same input → same output" (determinism) and "one character off → entirely different output" (the avalanche effect) can be confirmed by comparing two slightly different inputs. These two properties are precisely what makes hashes useful for file integrity checks and tamper detection.
Compare the hash from Practice 1 against a recomputed value and a value with the last character changed.
① Repeat Practice 1's steps to put the SHA-256 of "Hello, Python!" into sha.
② Hash the same input again and check whether it equals sha — print as Same on recompute: True / False.
③ Compute the hash of the bytes with ! changed to . at the end and confirm it differs from sha — print as Different after one char: True / False.
Run code to see output
QUIZ
Knowledge Check
Answer each question one by one.
Q2What happens to the SHA-256 of the same input?
Q3Can you recover the original input from a hash?
Q4What's the best choice for storing user passwords?