SHA256 isn't particularly good as a password hashing algorithm, because it can be quite easily brute forced. I suggest implementing either bcrypt or Argon2 /, Argon2i, because both of these algorithms have a variable cost that can be adjusted to avoid the issue.