IMO this is more work than you need. Sha256 would be 2^256 chance for collision, which is, well very high. I'm not a cryptographic expert by any far stretch of the imagination, but best I know sha256 has not been compromised as of yet. I wouldn't go to any effort to chop the strings up.
The ordering isn't desirable though. You have a salt and pepper that are added after the hash, which means that all passwords start and end with the same sequence. Instead, use
hash('sha256', $salt . $password . $pepper); where salt and pepper could be anything, even a single byte that add uniqueness to the password. So two users with the passwords 'apassword' don't end up with the same password within storage.
Cutting the string up isn't all that helpful overall. If software is compromised as well, than the pattern is a standard sequence in order to reassemble it. Since you cannot randomize it, you would either need to do pattern reassembly for it based on offset sequence, or you would need to calculate reassignment based on values. The latter is pretty much what the hashing algorithms are doing anyways.
BTW, if you want to split that up, create an array instead using str_split instead.
header('HTTP/1.1 420 Enhance Your Calm');