Hash Identifier

Identify hash type by length and format — MD5, SHA-1, SHA-256, and more

Hash String

Runs locally · Safe to paste secrets

Also try:MD5 Hash Generator SHA-1 Hash Generator SHA-256 Hash Generator SHA-384 Hash Generator SHA-512 Hash Generator HMAC Generator

What Is Hash Identification?

Hash identification is the process of determining which cryptographic hash algorithm produced a given digest. Cryptographic hash functions like MD5, SHA-1, and SHA-256 each produce fixed-length outputs, and the output length is the primary signal used to identify an unknown hash. When you encounter a hexadecimal string in a database dump, configuration file, or API response, a hash identifier tool tells you which algorithm likely generated it.

Every hash algorithm maps arbitrary input data to a fixed-size output called a digest. MD5 always produces 128 bits (32 hex characters), SHA-1 always produces 160 bits (40 hex characters), and SHA-256 always produces 256 bits (64 hex characters). This deterministic output length is what makes algorithmic identification possible without access to the original input or the hashing code.

Identification by length alone is not always definitive. Several algorithms share the same output size — for example, SHA-256 and SHA3-256 both produce 64-character hex digests. In these cases, a hash identifier provides a list of candidate algorithms ranked by prevalence. Context clues such as the source system, encoding format (hex vs. Base64), and the presence of algorithm prefixes (like '$2b$' for bcrypt) narrow the possibilities further.

Why Use a Hash Identifier?

Unknown hashes appear regularly during security audits, database migrations, and forensic analysis. A hash identifier removes guesswork and points you to the correct algorithm in seconds.

⚡

Instant Detection

Paste a hash and get candidate algorithms immediately. No need to manually count characters or consult reference tables — the tool maps hex length to all matching algorithms automatically.

🔒

Privacy-First Analysis

All identification runs entirely in your browser using JavaScript. The hash value never leaves your device, which matters when analyzing password hashes, authentication tokens, or sensitive forensic evidence.

📋

Complete Algorithm Coverage

Detects MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, and their SHA-3 counterparts. The reference table covers the full SHA-2 and SHA-3 families plus common alternatives like RIPEMD-160 and BLAKE2.

🚫

No Account or Installation

Works instantly in any modern browser. No sign-up, no API key, no CLI tool to install. Bookmark it and use it whenever you encounter an unknown hash — on any OS, any device.

Hash Identifier Use Cases

Security Auditing

During penetration tests, identifying password hash algorithms in leaked databases determines the cracking approach. MD5 and SHA-1 hashes indicate weak protection and can be prioritized for remediation.

Database Migration

When migrating user records between systems, the stored password hash algorithm must be known to configure the new authentication layer correctly. Misidentifying the algorithm causes all logins to fail.

DevOps and CI/CD

Build pipelines often include checksums for artifact verification. Identifying whether a checksum is SHA-256 or SHA-512 ensures you use the correct verification command in your deployment scripts.

Digital Forensics

Forensic examiners encounter hash digests in file integrity logs, blockchain records, and evidence metadata. Identifying the algorithm is a prerequisite for verifying evidence chain-of-custody.

API Integration

Third-party APIs sometimes return hash values without documenting the algorithm. Identifying the hash type from the response lets you configure your webhook signature verification or checksum validation correctly.

Learning Cryptography

Students working through cryptography courses can paste hashes generated by different algorithms and immediately see the relationship between algorithm choice, output length, and security properties.

Hash Algorithm Length Reference

The table below maps each common hash algorithm to its output size in bits, hex characters, and raw bytes. This is the primary lookup table used by hash identification tools. When multiple algorithms share the same hex length, you need additional context to distinguish them.

Algorithm	Bits	Hex Chars	Bytes	Notes
MD5	128	32	16	Broken — collisions trivial since 2004
SHA-1	160	40	20	Deprecated — SHAttered attack (2017)
SHA-224	224	56	28	Truncated SHA-256; rarely used standalone
SHA-256	256	64	32	Current standard; TLS, Git, Bitcoin
SHA-384	384	96	48	Truncated SHA-512; CNSA Suite approved
SHA-512	512	128	64	Maximum SHA-2 output; large-data hashing
SHA3-256	256	64	32	Keccak-based; NIST alternative to SHA-2
SHA3-512	512	128	64	Keccak-based; highest SHA-3 strength
RIPEMD-160	160	40	20	Used in Bitcoin address derivation
BLAKE2s	256	64	32	Faster than SHA-256; 256-bit output

Disambiguating Hash Lengths

Some hex lengths match multiple algorithms. The two most common ambiguities are 64-character hashes (SHA-256 vs. SHA3-256) and 40-character hashes (SHA-1 vs. RIPEMD-160). Here is how to tell them apart when length alone is insufficient.

64 hex chars: SHA-256 vs. SHA3-256

Both produce 256-bit (64-character) digests. SHA-256 is overwhelmingly more common in practice — Git commits, TLS certificates, Bitcoin blocks, and most API signatures use SHA-256. SHA3-256 is typically only found in systems that explicitly require NIST SP 800-185 compliance or Keccak-based constructions. Check the source system's documentation to confirm.

40 hex chars: SHA-1 vs. RIPEMD-160

SHA-1 is the far more prevalent 160-bit hash — used historically in Git (before SHA-256 transition), TLS, and code signing. RIPEMD-160 appears primarily in Bitcoin address generation (HASH160 = SHA-256 followed by RIPEMD-160). If the hash comes from a cryptocurrency context, consider RIPEMD-160; otherwise, SHA-1 is the likely candidate.

Code Examples

Below are working implementations of hash identification by hex length in four languages. Each function validates hex encoding, looks up the character count, and returns all matching algorithms.

JavaScript

function identifyHash(hex) {
  const len = hex.length
  const isHex = /^[0-9a-fA-F]+$/.test(hex)
  if (!isHex) return ['Not a hex-encoded hash']

  const map = {
    32:  ['MD5'],
    40:  ['SHA-1', 'RIPEMD-160'],
    56:  ['SHA-224', 'SHA3-224'],
    64:  ['SHA-256', 'SHA3-256', 'BLAKE2s'],
    96:  ['SHA-384', 'SHA3-384'],
    128: ['SHA-512', 'SHA3-512', 'BLAKE2b'],
  }
  return map[len] || [`Unknown (${len} hex chars)`]
}

identifyHash('d41d8cd98f00b204e9800998ecf8427e')
// → ["MD5"]

identifyHash('e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855')
// → ["SHA-256", "SHA3-256", "BLAKE2s"]

Python

import re

HASH_LENGTHS = {
    32:  ['MD5'],
    40:  ['SHA-1', 'RIPEMD-160'],
    56:  ['SHA-224', 'SHA3-224'],
    64:  ['SHA-256', 'SHA3-256', 'BLAKE2s'],
    96:  ['SHA-384', 'SHA3-384'],
    128: ['SHA-512', 'SHA3-512', 'BLAKE2b'],
}

def identify_hash(hex_string: str) -> list[str]:
    hex_string = hex_string.strip()
    if not re.fullmatch(r'[0-9a-fA-F]+', hex_string):
        return ['Not a hex-encoded hash']
    return HASH_LENGTHS.get(len(hex_string), [f'Unknown ({len(hex_string)} hex chars)'])

identify_hash('da39a3ee5e6b4b0d3255bfef95601890afd80709')
# → ['SHA-1', 'RIPEMD-160']

identify_hash('a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a')
# → ['SHA-256', 'SHA3-256', 'BLAKE2s']

package main

import (
	"fmt"
	"regexp"
)

var hexPattern = regexp.MustCompile("^[0-9a-fA-F]+$")

var hashLengths = map[int][]string{
	32:  {"MD5"},
	40:  {"SHA-1", "RIPEMD-160"},
	56:  {"SHA-224", "SHA3-224"},
	64:  {"SHA-256", "SHA3-256", "BLAKE2s"},
	96:  {"SHA-384", "SHA3-384"},
	128: {"SHA-512", "SHA3-512", "BLAKE2b"},
}

func identifyHash(hex string) []string {
	if !hexPattern.MatchString(hex) {
		return []string{"Not a hex-encoded hash"}
	}
	if algos, ok := hashLengths[len(hex)]; ok {
		return algos
	}
	return []string{fmt.Sprintf("Unknown (%d hex chars)", len(hex))}
}

func main() {
	fmt.Println(identifyHash("d41d8cd98f00b204e9800998ecf8427e"))
	// → [MD5]
}

CLI (Bash)

#!/bin/bash
# Identify a hash from the command line by character count
hash="$1"

if [[ ! "$hash" =~ ^[0-9a-fA-F]+$ ]]; then
  echo "Not a hex-encoded hash"
  exit 1
fi

len=${#hash}
case $len in
  32)  echo "MD5 (128-bit)" ;;
  40)  echo "SHA-1 or RIPEMD-160 (160-bit)" ;;
  56)  echo "SHA-224 or SHA3-224 (224-bit)" ;;
  64)  echo "SHA-256 or SHA3-256 (256-bit)" ;;
  96)  echo "SHA-384 or SHA3-384 (384-bit)" ;;
  128) echo "SHA-512 or SHA3-512 (512-bit)" ;;
  *)   echo "Unknown hash length: $len chars" ;;
esac

# Usage: ./identify.sh d41d8cd98f00b204e9800998ecf8427e
# → MD5 (128-bit)

Frequently Asked Questions

How does hash identification work?

Hash identification primarily relies on the length of the hex-encoded digest. Each hash algorithm produces a fixed number of output bits: MD5 outputs 128 bits (32 hex chars), SHA-1 outputs 160 bits (40 hex chars), SHA-256 outputs 256 bits (64 hex chars), and so on. The identifier measures the string length, verifies it contains only hexadecimal characters, and maps it to known algorithm output sizes.

Can a hash identifier determine the exact algorithm with certainty?

Not always. Multiple algorithms can produce the same output length. SHA-256 and SHA3-256 both output 64 hex characters. SHA-1 and RIPEMD-160 both output 40 hex characters. In these cases, the tool returns all candidates. You need context — the source system, documentation, or algorithm prefixes — to narrow it to a single algorithm.

What if my hash is Base64-encoded instead of hex?

Base64-encoded hashes use a different character set (A-Z, a-z, 0-9, +, /) and have different lengths than their hex equivalents. A 256-bit hash is 44 Base64 characters but 64 hex characters. Decode the Base64 string to raw bytes first, then check the byte length: 16 bytes = MD5, 20 bytes = SHA-1, 32 bytes = SHA-256, 48 bytes = SHA-384, 64 bytes = SHA-512.

Is it safe to paste password hashes into an online identifier?

This tool runs entirely in your browser — no data is transmitted to any server. The hash never leaves your device. That said, for maximum operational security during a formal audit, you can verify this by inspecting the network tab in your browser's developer tools or by using the tool offline after the page has loaded.

Why is MD5 still used if it is cryptographically broken?

MD5 is broken for collision resistance — an attacker can craft two different inputs that produce the same hash. However, MD5 is still used in non-security contexts: file checksums for download verification, cache keys, deduplication, and ETags in HTTP. For these purposes, accidental collisions are astronomically unlikely and deliberate attacks are not a concern. MD5 must not be used for password hashing, digital signatures, or certificate verification.

How do I identify bcrypt, scrypt, or Argon2 hashes?

Password hashing functions like bcrypt, scrypt, and Argon2 use distinctive string prefixes rather than raw hex output. Bcrypt hashes start with '$2a$', '$2b$', or '$2y$' followed by a cost factor. Argon2 hashes start with '$argon2id$' or '$argon2i$'. Scrypt hashes typically start with '$scrypt$'. These are not raw cryptographic digests, so length-based identification does not apply — the prefix itself identifies the algorithm.

What is the difference between SHA-2 and SHA-3?

SHA-2 (which includes SHA-256, SHA-384, and SHA-512) is based on the Merkle-Damgard construction designed by the NSA and standardized in FIPS 180-4. SHA-3 (SHA3-256, SHA3-384, SHA3-512) is based on the Keccak sponge construction, selected through a public NIST competition and standardized in FIPS 202. They produce the same output lengths at matching security levels but use fundamentally different internal structures. SHA-3 was designed as a fallback in case structural weaknesses are found in SHA-2, though no such weaknesses have been demonstrated.