Skip to content

Hash Identifier

Identify hash types by analyzing length, character set, and format patterns

You Found a Hash. Now What?

You’re doing a security audit and you pull a string out of a database: $2b$12$LJ3m4ys5Lp0Kn.XKz7o9cOeS8fGdJfKjGzT2vQ8KpN1mXw3yR6xGi. What algorithm produced that? Is it bcrypt, scrypt, or something else? The answer changes everything about your security assessment.

Or maybe you’re in a CTF competition staring at 5d41402abc4b2a76b9719d911017c592. You need to know the algorithm before you can even start working on it.

This tool figures it out. Paste a hash, and it analyzes the length, character set, and structural patterns to tell you what you’re dealing with. Structured formats like bcrypt ($2b$) and Argon2 ($argon2id$) are identified with near-certainty. Raw hex strings get ranked by probability since multiple algorithms share the same output length.

How Identification Works

The logic is simpler than you might think:

Length narrows it down fast. MD5 is always 32 hex characters (128 bits). SHA-1 is 40 characters. SHA-256 is 64. SHA-512 is 128. If you’ve got a 32-character hex string, it’s almost certainly MD5 — though NTLM also produces 32 hex characters, so you’ll see both listed.

Prefixes are definitive. $2b$12$ is bcrypt with 12 cost rounds. $argon2id$ is Argon2. $5$ is SHA-256-crypt. $6$ is SHA-512-crypt. These structured formats embed the algorithm name right in the hash string, so identification is unambiguous.

Character set matters. A string of only hex characters (0-9, a-f) points toward MD5/SHA family. A string with dots, slashes, and dollar signs points toward bcrypt. Base64-encoded hashes have their own distinct character pattern.

Security Audit Implications

Finding that an application stores passwords as unsalted MD5 is a critical finding. An attacker with a precomputed rainbow table can crack most common passwords in seconds. MD5 hashes roughly 4.6 billion per second on a single GPU.

Finding bcrypt with a cost factor of 12? That’s solid. Each hash takes about 250ms to compute, making brute-force attacks impractical.

Finding SHA-256 without salt? It’s better than MD5 (no known collision attacks), but it’s still way too fast for password storage — about 8.5 billion hashes per second on a modern GPU. Passwords need slow hashing algorithms, not fast ones.

The difference between “your users’ passwords are safe” and “every password in your database is compromised within hours” often comes down to which algorithm you identify in that database column.

CTF and Forensics Shortcuts

In competitions, time matters. Rather than guessing algorithms and feeding them to hashcat one by one, paste the hash here and get your answer in a second. A 64-character hex string? Probably SHA-256. Something starting with $pbkdf2-sha256$? PBKDF2. Now you know which hashcat mode to use.

For legacy system migrations, identifying the hash format tells you whether you can verify existing passwords against a new system or whether users will need to reset. If the old system used plain MD5, you might re-hash with bcrypt on next login and gradually migrate.

The Hash Generator produces hashes if you need to go the other direction. The Password Hasher (PBKDF2) handles proper password hashing with salt and iterations.

Everything runs in your browser — no hash data leaves the page.

hash identifier md5 sha bcrypt security

Related Tools

More in Security Tools