I came to about the same conclusion as the others, but with a different justification.
Generally speaking, a prototype (brute force) attack on SHA-256 requires 2 ^ 256 ratings regardless of the password length. In other words, a password hash of thousands of characters will still take an average of 2 ^ 256 duplication attempts. 2 ^ 256 is about 1.2 Γ 10 ~ 77. However, a very short password, where the number of possibilities is less than 2 ^ 256, is even easier to break.
The threshold is transmitted when the number of possibilities is greater than 2 ^ 256.
If you use ISO 8859-1, which has 191 characters, there are 191 ^ n possible random passwords of length n, where n is the length of the password. 191 ^ 33 is about 1.9 Γ 10 ~ 75 and 191 ^ 34 is about 3.6 Γ 10 77, so the threshold would be 33 characters .
If you used plain ASCII with 128 characters, there would be 128 possible possible random passwords of length n, where n is the length of the password. 128 ^ 36 is about 7.2 x 10 ^ 75 and 128 ^ 37 is about 9.3 x 10 77, so the threshold will be 36 characters .
Some of the other answers seem to imply that the threshold always has 32 characters. However, if my logic is correct, the threshold changes, depending on the number of characters that you have in the character set .
Actually, suppose you used only the characters az and 0-9, you continue to add the strength of the password until your password is 49 characters long! (36 ^ 49 is about 1.8 Γ 10 ~ 76)
I hope this answer gives you a mathematical basis for answering the question.
As a side note, if a birthday (collision) attack were possible on the SHA-256, theoretically only 2 ^ 128 ratings (average) would be required, which is about 3.4 Γ 10 38. In this case, the threshold value for ISO 8859-1 will have a value of 16 characters (191 ^ 16 is about 3.1 Γ 10 ~ 36). Fortunately, such an attack has not yet been publicly demonstrated.
Please view SHA-2 Wikipedia articles, prefix attacks and birthday attacks .