Hash Type Identifier

Paste one or more hash strings to detect the likely algorithm — MD5, SHA-1, SHA-256, SHA-512, bcrypt, UUID, Base64, CRC32, and more.

Hash Input
Identification Result
Paste a hash string above to identify its type.

How to Use the Hash Type Identifier

  1. Paste your hash — enter any hash string in the input field. The tool accepts hashes in any case (upper or lower).
  2. Instant identification — as you type, the tool analyzes the hash length, character set, and prefix patterns to determine the likely algorithm.
  3. Read the result — each match shows the algorithm name, confidence level (high/medium/low), and key details like bit length, hex character count, and security status.
  4. Batch mode — switch to Multiple Hashes mode to identify many hashes at once. Each hash is analyzed independently and results are shown in a list.
  5. Reference table — switch to the Reference Table mode for a quick lookup of all supported hash types, their lengths, character sets, and security status.

How Hash Identification Works

Cryptographic hash functions produce output of a fixed length that depends entirely on the algorithm used — not on the input. MD5 always produces 128 bits (32 hex characters), SHA-256 always produces 256 bits (64 hex characters), and SHA-512 always produces 512 bits (128 hex characters). This tool uses this characteristic to identify hashes: it measures the length, checks the character set (hexadecimal vs Base64 vs mixed), and looks for distinctive prefixes like $2b$ for bcrypt or $argon2i for Argon2.

Confidence Levels Explained

  • High confidence — the hash has a unique length and character set, or a distinctive prefix that only one algorithm uses. Example: bcrypt always starts with $2b$, so any hash with that prefix is identified with high confidence.
  • Medium confidence — multiple algorithms share the same length and character set. Example: a 32-character hex string could be MD5, NTLM, MD4, or LM. Additional context is needed to determine the exact algorithm.
  • Low confidence — the hash partially matches a pattern but has unusual properties. For example, a Base64-encoded string that happens to be the right length for a SHA-1 hash could be either.

Choosing the Right Hash Algorithm

For checksums and data integrity verification (file downloads, API signatures), SHA-256 is the standard choice. It produces a 64-character hex string, is widely supported, and has no known practical vulnerabilities. For password storage, use bcrypt, scrypt, or Argon2 — these are specifically designed to be slow, which dramatically increases the cost of brute-force attacks. Never use MD5 or SHA-1 for new systems: MD5 is completely broken (collision attacks are trivial), and SHA-1 is deprecated by major browser vendors and certificate authorities. For unique identifiers, UUID v4 provides 122 bits of randomness and is universally supported across programming languages and databases.

Hash Lengths Quick Reference

The fastest way to narrow down a hash type is to count its characters: 8 hex chars = CRC32, 32 hex chars = MD5/MD4/NTLM, 40 hex chars = SHA-1/RIPEMD-160, 56 hex chars = SHA-224, 64 hex chars = SHA-256/SHA3-256, 96 hex chars = SHA-384, 128 hex chars = SHA-512/SHA3-512. Hashes that start with $ are almost always password hashes in PHC string format, which includes the algorithm identifier in the prefix. UUIDs have a distinctive 8-4-4-4-12 character pattern with hyphens.

Security Implications of Hash Algorithm Choice

Finding a hash type in a database dump or log file can have security implications. MD5 and SHA-1 password hashes are easily cracked with modern GPU hardware using dictionary and rainbow table attacks — billions of guesses per second are achievable. If you encounter MD5 or SHA-1 hashed passwords, they should be considered compromised and migrated to bcrypt immediately. SHA-256 and SHA-512, while cryptographically secure as hash functions, are too fast for password storage — attackers can still try billions of guesses per second against them. Only purpose-built slow hash functions (bcrypt, scrypt, Argon2) provide adequate protection for passwords at rest.

Frequently Asked Questions

The tool uses pattern matching based on hash length, character set, and prefix. Each hash algorithm produces output of a specific fixed length — MD5 is always 32 hex chars, SHA-256 is always 64 hex chars, and bcrypt always starts with '$2b$'. When the pattern is unique, the tool returns high confidence. When multiple algorithms share the same length, it returns all possibilities with medium confidence.
MD5 produces a 128-bit (32 hex character) digest and is now considered cryptographically broken — collision attacks are feasible. SHA-256 is part of the SHA-2 family, produces a 256-bit (64 hex character) digest, and remains secure. For passwords, neither is recommended — use bcrypt, scrypt, or Argon2 instead, as they are specifically designed to be slow and resist brute-force attacks.
No. Cryptographic hash functions are one-way — there is no mathematical way to reverse a hash back to the original input. This tool only identifies the likely algorithm. To find the original value, you would need dictionary attacks or rainbow tables, which are outside the scope of this tool.
Several hash algorithms produce output of the same length and character set. A 32-character hex string could be MD5, NTLM, MD4, or LM. A 40-character hex string could be SHA-1 or RIPEMD-160. When the pattern is ambiguous, the tool lists all candidate algorithms with medium confidence. Context about where the hash came from is needed to determine the exact algorithm.
bcrypt is a password hashing function designed to be slow. Unlike MD5 or SHA-256, bcrypt includes a random salt and work factor in its output. Hashes start with '$2b$10$' (version + cost factor). The output is 60 characters using a modified Base64 alphabet. The same password hashed twice with bcrypt produces different hashes because of the embedded salt.