Quick answer: hashlib provides standard hash algorithms such as SHA-256 with a common update, digest, and hexdigest interface. Hash bytes rather than an ambiguous text representation, stream large files in chunks, compare digests with a deliberate policy, and never confuse a fast general-purpose digest with password hashing or reversible encryption.

Python’s hashlib module creates cryptographic hash digests for bytes, strings after encoding, file contents, and other byte streams. Common modern choices include SHA-256 and SHA-512. For encryption keys rather than message digests, use the OpenSSL workflow in Generate OpenSSL Symmetric Keys With Python.
The official Python documentation covers hashlib, pbkdf2_hmac(), and hmac.compare_digest().
A hash is not encryption. Hashing is one-way: you use it to identify data, check integrity, compare digests, or derive stored password material. Encryption is reversible with a key. Encoding is a representation change. Keep those terms separate in code and documentation. Hashing is one-way and is not encryption; contrast it with the reversible classical cipher in Caesar Cipher in Python Tutorial.
For security-sensitive work, avoid MD5 and SHA-1 except when you must interoperate with an old checksum format. They are not appropriate for new security designs. Prefer SHA-256 or stronger algorithms for general digests.
Do not store passwords as a plain SHA-256 digest. Use a password-hashing scheme with a salt and many iterations, such as hashlib.pbkdf2_hmac(), hashlib.scrypt(), or a dedicated password hashing library such as bcrypt or Argon2.
Always hash bytes. When starting from text, encode it explicitly, usually with UTF-8. When showing a digest to people, use hexdigest() for readable hexadecimal text.
When comparing expected and actual digests, use hmac.compare_digest(). It avoids timing differences that can matter in authentication and signed-message checks.
For large files, update the hasher in chunks instead of reading the whole file into memory. The digest is the same as hashing the entire byte stream at once, but chunking scales better.
Choose the algorithm based on the job. A checksum for accidental corruption, a content identifier, a signed webhook, and a password-storage workflow have different requirements. hashlib provides building blocks, but the surrounding protocol still matters.
Store enough metadata to verify a digest later. For password-derived values, that means recording the algorithm, salt, iteration count, and derived bytes. For files or messages, it often means recording the algorithm name beside the digest text.
Use random salts for password storage. A salt is not a secret, but it must be unique enough to prevent attackers from reusing the same precomputed work across many stored passwords.
When reading files, normalize nothing unless the format explicitly says to do so. A hash should represent the exact bytes you intend to protect or identify, including line endings and encoding choices.
Create A SHA-256 Digest
Encode text to bytes before hashing it.
import hashlib
data = "PythonPool".encode("utf-8")
digest = hashlib.sha256(data).hexdigest()
print(digest)
sha256() receives bytes and returns a hash object.
hexdigest() returns readable hexadecimal text.
This pattern is useful for stable identifiers, integrity checks, and digest examples.
Update A Hash In Parts
Call update() multiple times to hash a stream of bytes.
import hashlib
hasher = hashlib.sha256()
hasher.update(b"first chunk")
hasher.update(b"second chunk")
print(hasher.hexdigest())
Each update adds bytes to the same digest calculation.
This is equivalent to hashing the two chunks concatenated together.
Use this approach when data arrives from a network stream, upload, or file reader.
Hash File-Like Data In Chunks
Read file content in pieces instead of loading it all at once.
import hashlib
from io import BytesIO
file_obj = BytesIO(b"alpha beta gamma")
hasher = hashlib.sha256()
for chunk in iter(lambda: file_obj.read(5), b""):
hasher.update(chunk)
print(hasher.hexdigest())
The loop reads five bytes at a time until the stream returns an empty byte string.
The same pattern works with a real file opened in binary mode.
Binary mode matters because hashes must be calculated from exact bytes.
Compare Digests Safely
Use compare_digest() for security-sensitive digest checks.
import hashlib
import hmac
expected = hashlib.sha256(b"message").hexdigest()
actual = hashlib.sha256(b"message").hexdigest()
print(hmac.compare_digest(expected, actual))
The comparison returns True because both digests match.
Use this for tokens, signatures, and authentication-related checks.
For ordinary non-security comparisons, normal equality is fine, but compare_digest() is the safer default for secret-derived data.
Derive Password Storage Material
pbkdf2_hmac() applies many iterations and a salt.
import hashlib
password = b"correct horse battery staple"
salt = b"demo salt"
key = hashlib.pbkdf2_hmac("sha256", password, salt, 100_000)
print(key.hex()[:32])
The fixed salt is only for a repeatable demo.
In real systems, generate a unique random salt for each password and store it with the derived value.
Use current security guidance for iteration counts and password-hashing choices.
Sign A Message With HMAC
Use HMAC when a digest must include a shared secret.
import hashlib
import hmac
secret = b"shared secret"
message = b"amount=25¤cy=USD"
signature = hmac.new(secret, message, hashlib.sha256).hexdigest()
print(signature)
A plain hash does not prove who created the message.
HMAC combines a secret key with the message and the selected hash algorithm.
Use HMAC for signed webhooks, request signing, and similar message-authentication workflows.
In short, use hashlib for byte digests, encode text explicitly, hash large files in chunks, avoid MD5 and SHA-1 for new security work, use password-hashing functions for passwords, and use HMAC plus compare_digest() when secrets or signatures are involved. For public-key encryption rather than hashing, continue with RSA Encryption in Python With cryptography.
Hash Text With An Encoding
A string must be encoded to bytes before hashing. Choose and document the encoding, usually UTF-8 for text, because different byte sequences produce different digests.
import hashlib
message = "Python Pool"
digest = hashlib.sha256(message.encode("utf-8")).hexdigest()
print(digest)
Hash A File In Chunks
Reading a large file all at once wastes memory. Update one hash object with bounded binary chunks and use hexdigest when the result needs to be stored or compared as text.
import hashlib
from pathlib import Path
path = Path("artifact.bin")
hasher = hashlib.sha256()
with path.open("rb") as stream:
for chunk in iter(lambda: stream.read(1024 * 1024), b""):
hasher.update(chunk)
print(hasher.hexdigest())
Compare A Digest Deliberately
A digest can verify that bytes match an expected value, but it does not prove who created them. For security-sensitive comparisons, use compare_digest and obtain the trusted expected digest through a protected channel.
import hmac
expected = "abc123"
actual = "abc123"
print(hmac.compare_digest(actual, expected))
Do Not Hash Passwords Naively
SHA-256 and similar algorithms are designed to be fast, which is useful for file checksums but harmful for password storage. Use a salted, tunable password KDF or a framework’s password hasher instead.
import hashlib
import os
password = b"example-only"
salt = os.urandom(16)
derived = hashlib.pbkdf2_hmac("sha256", password, salt, 300_000)
print(len(derived))
Python’s official hashlib documentation covers algorithms, streaming updates, digests, and password KDF boundaries. Related references include SHA-256, legacy MD5, and binary files.
For related hashing tasks, compare SHA-256, legacy MD5, and binary files when choosing a digest boundary.




Frequently Asked Questions
What is hashlib used for?
It provides common hash algorithms and a shared interface for producing digests from bytes-like data.
How do I hash a file?
Read it in binary chunks, update a hashlib object, and use hexdigest for a portable text representation.
Is SHA-256 encryption?
No. A cryptographic hash is a one-way digest and does not provide reversible encryption.
Can I hash passwords with SHA-256?
Do not use a fast general-purpose digest alone; use a password-specific, salted, tunable key-derivation function.