Hash Identifier
Paste a hash to guess its algorithm. We match prefixes like bcrypt and Unix crypt, then fall back to length and character set to rank candidates such as MD5, SHA-1 and SHA-256.
How to identify a hash
- Paste the hash string into the box (one hash at a time).
- Read the ranked candidates, ordered by confidence.
- Use the highest-confidence match, noting that equal-length hashes can overlap.
Examples
MD5 hash
5f4dcc3b5aa765d61d8327deb882cf99
MD5 (high), NTLM (medium), MD4 (low), MD2 (low)
bcrypt hash
$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
bcrypt (high)
Frequently asked questions
Is my hash sent to a server?
No. Identification runs entirely in your browser using JavaScript, so the hash you paste never leaves your device.
How does the detection work?
We first check for known prefixes like $2y$ (bcrypt) or $6$ (SHA-512 crypt). If none match, we look at the character set and length to rank likely algorithms.
Can it tell MD5 from NTLM?
Not reliably. MD5 and NTLM are both 32 hex characters, so they are indistinguishable by format alone. We rank MD5 higher because it is far more common, and list NTLM as a likely alternative.
Why do I get several candidates?
Many algorithms share an output length. A 64-character hex string could be SHA-256, SHA3-256 or BLAKE2s-256, so we show every plausible match instead of guessing one.
Does identifying a hash let me reverse it?
No. Cryptographic hashes are one-way. Knowing the algorithm only tells you how a value was hashed, not the original input.
Related tools
Reverse Shell Generator
Generate reverse shell one-liners for Bash, Python, PHP, Perl, Ruby, PowerShell, Netcat and Socat from an IP and port, plus the listener command.
Hash Generator
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from any text. Live, lowercase hex output that runs entirely in your browser.
HMAC Generator
Generate an HMAC for a message and secret key with SHA-1, SHA-256, SHA-384 or SHA-512. Verify webhook and API signatures, with hex or base64 output.
JWT Decoder
Decode a JSON Web Token to read its header and payload claims. Shows exp, iat and nbf as dates. Runs in your browser. No signature check.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.