Many (most?) websites require a username + password credential to gain access to an account. I would like to learn how websites do this, so consider the following: 1. I go to a website for which I already have an account 2. I input my passphrase - for this example let's say my passphrase is eggsandbacon Now, what I thought happens is the following: 1. The website takes the passphrase I have entered (eggsandbacon) and hashes it using sha256 - which results in 5d33b822d391dac58b9e4a07cb9fa9e20cd8d61d3287f073691a350240e03690 2. The website then compares the hashed passphrase against the hashed passphrase I have on file at the website - ideally the website would have hashed my passphrase (eggsandbacon) using sha256 when I created the account. If someone were to hack the website and obtain the hashed passphrase (in this case 5d33b822d391dac58b9e4a07cb9fa9e20cd8d61d3287f073691a350240e03690) and enter that into the website, the website is going to hash it again before comparing it with the one they have on file. This would result in the wrong passphrase and deny access. Even with a massive cracking array scenario, this hash is going to take a very long time to brute force. My question is, when people hack websites, how do they obtain correct passwords for various accounts? Is the sha256 hash reversible?