Hash Identifier

How to use

1. 1Paste the suspected hash, password hash, token, or identifier into the input box.
2. 2Read the candidate list, ordered from most likely (green) to least likely (slate). The first card is the strongest match for the input shape.
3. 3Check the character class badges (length, character set, total bits when applicable) to sanity check the input before trusting an identification.
4. 4Use a sample button to load a known hash and confirm the tool recognises that format on your end.
5. 5Use Copy summary to grab the full analysis (input shape plus ranked candidate list) for an audit log, a CTF write-up, or a teammate.

About this tool

Hash Identifier inspects any string you paste and returns the most likely hash, password storage format, or token type it could be, ranked from likely to long shot. It is built around the two ways real-world hashes are tagged. Many modern password hashes carry an unambiguous prefix in the Modular Crypt Format or PHC string format: $2a$ / $2b$ / $2y$ for bcrypt, $argon2i$ / $argon2id$ / $argon2d$ for Argon2, $1$ for md5crypt, $5$ for sha256crypt, $6$ for sha512crypt, $y$ for yescrypt, $7$ for scrypt, $P$ and $H$ for phpass (WordPress and phpBB3), $S$ for Drupal 7+, $apr1$ for Apache htpasswd, $8$ for Cisco Type 8, $9$ for Cisco Type 9. When the tool recognises one of these, it returns a single high-confidence match and explains the parameters (variant, cost factor, iteration count). It also detects Django's algorithm$iterations$salt$digest format (pbkdf2_sha256, pbkdf2_sha512, bcrypt_sha256, argon2), MySQL 4.1+ (* followed by 40 hex), MySQL 3.23 (16 hex), LDAP {SSHA}/{SHA}/{SMD5}/{MD5}/{CRYPT} schemes, PostgreSQL's md5... format, and the Joomla / vBulletin md5(md5(pwd)+salt):salt shape. JWTs and UUIDs are also surfaced because they are the strings most often pasted into hash identifiers by mistake. For plain hex digests the algorithm cannot be determined from shape alone: a 32-character lowercase hex string is the same shape for MD5, NTLM, MD4, MD2, RIPEMD-128, HAVAL-128, Tiger-128, and Snefru-128. The tool lists every plausible algorithm at that length with the well-known one first (MD5 for 32 chars, SHA-1 for 40, SHA-256 for 64, SHA-512 for 128) and a one-sentence note explaining where you would normally see that algorithm in production. Base64 digest forms (28, 44, 64, 88 characters) get the same treatment for SHA-1, SHA-256, SHA-384, SHA-512, and the BLAKE2 family. Confidence is colour-coded: green for a unique prefix match, blue for a strong shape match, slate for a long shot. The character class summary at the top of the result (length in characters, total bits if hex, character set) lets you sanity check the input before trusting any identification. Useful for password audits, CTF challenges, hashcat mode selection, John the Ripper format flags, parsing /etc/shadow lines, reading dumps from forensic tools, debugging API tokens, identifying legacy migrations, and figuring out what kind of string an old database column actually contains. All analysis runs in your browser using regular expressions. The strings you paste here are never uploaded, logged, or shared.

Free to use. Works in your browser. No signup, no login.