How to Identify Hash Types: A Step-by-Step Guide
How to Identify Hash Types: A Step-by-Step Guide
May 28, 20268 min read
When you encounter an unfamiliar string of characters during a penetration test or a CTF challenge, the first question is always: what type of hash is this? Identifying the hash type determines which cracking tool to use, what attack vectors apply, and how much effort it will take to reverse it.
This guide shows you how to identify 40+ hash types by analyzing their length, character set, and prefix patterns using the Hash Identifier from SecuriTool — all in your browser, no data sent to any server.
Open the Hash Identifier in another tab while you read:
How Hash Identification Works
Hash identification relies on three characteristics:
| Clue | What It Tells You | Example |
|---|---|---|
| Length | Number of characters in the hex/base64 string | 32 chars → MD4/MD5/NTLM |
| Character set | Hex (0-9a-f), Base64 (A-Za-z0-9+/), or custom | Hex 40 chars → SHA-1 |
| Prefix / Format | Special markers like $2y$, $6$, {SSHA}
|
$2y$ → bcrypt |
The Hash Identifier applies pattern matching across all three dimensions and returns a confidence score for each possible match.
Step 1: Paste the Hash
Go to the Hash Identifier page. Paste your unknown string into the text area and click Identify.
The tool processes everything client-side — your hash never leaves your browser.
Step 2: Read the Results
The output lists possible matches sorted by confidence score, with a visual progress bar:
→ bcrypt (60 chars) ████████░░ 86% Unix SHA-512 (crypt) (106 chars) ██████░░░░ 62% SHA-512 (128 chars) █████░░░░░ 50%
The arrow marks the best match. The percentage reflects how well the hash matches all detection criteria (length, regex pattern, and prefix).
Step 3: Identify by Length
Hash length is the fastest way to narrow down possibilities. Here is a quick reference:
| Length (hex) | Likely Hash Types | Use Case |
|---|---|---|
8 |
CRC32, Adler32 | Checksums, error detection |
16 |
MySQL ≤ 4.1 | Legacy MySQL password hashes |
32 |
MD4, MD5, NTLM, LM, RIPEMD-128 | Legacy auth, Windows passwords |
40 |
SHA-1, RIPEMD-160, PBKDF2-HMAC-SHA1 | Git commits, SSL certs, legacy APIs |
56 |
SHA-224, SHA3-224, SHA-512/224 | FIPS compliance, blockchain |
64 |
SHA-256, SHA3-256, RIPEMD-256, GOST 256, PBKDF2-HMAC-SHA256 | Modern applications, TLS, Bitcoin |
96 |
SHA-384, SHA3-384 | High-security, gov standards |
128 |
SHA-512, SHA3-512, Whirlpool, GOST 512 | Maximum security, DNSSEC |
Step 4: Identify by Prefix
Password hashing algorithms use distinctive prefixes that make them instantly recognizable:
| Prefix | Hash Type | Format Example |
|---|---|---|
$2y$, $2a$, $2b$
|
bcrypt | $2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy |
$6$ |
Unix SHA-512 crypt | $6$rounds=1000$salt$hash |
$5$ |
Unix SHA-256 crypt | $5$rounds=5000$salt$hash |
$1$ |
Unix MD5 crypt | $1$salt$hash |
$argon2 |
Argon2 | $argon2id$v=19$m=65536,t=3,p=4$...$... |
$SHA$ |
bcrypt (SHA-256 variant) | $SHA$salt$hash |
scrypt: |
scrypt | scrypt:16384:8:1$...$... |
* (leading asterisk) |
MySQL 5+ | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |
0x |
Ethereum address | 0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18 |
Step 5: Read a Real-World Example
Let us identify this hash:
$2y$12$LJ3m4ys3Lk0TSwHnbfOMiOXPm1Qm0M0v0M.0M0M0M0M0M0M0M0M0M0
Step 1: Length is 60 characters — too short for SHA-512 (128), too long for MD5 (32).
Step 2: Contains $2y$ prefix followed by two cost digits 12$.
Step 3: Uses A-Za-z0-9./ character set (Base64 variant).
Result: bcrypt with cost factor 12. Used by most modern web frameworks for password storage (Rails, Django, Node.js, PHP).
Quick Reference: Common Hash Patterns
Password hashes (modern):
$2y$10$... → bcrypt · $argon2id$... → Argon2id · $6$... → SHA-512 crypt
Windows authentication:
32-char hex → NTLM (aad3b435b51404eeaad3b435b51404ee)
32-char uppercase hex → LM hash
Web frameworks:
32-char hex → MD5 (WordPress, Joomla, vBulletin legacy)
40-char hex → SHA-1 (GitHub, Docker hub)
Blockchain / Crypto:
64-char hex → SHA-256 (Bitcoin)
1 or 3 followed by 25-34 chars → Bitcoin address
0x + 40 hex → Ethereum address
When Lengths Overlap
Some hash lengths map to multiple types. A 32-character hex string could be MD4, MD5, NTLM, LM, or RIPEMD-128. Here is how to disambiguate:
-
MD5 vs NTLM: Both are 32 hex chars. NTLM hashes are Windows domain hashes, typically extracted from a Domain Controller or SAM file. MD5 is used in Linux
/etc/shadow(old), WordPress, and Joomla. - SHA-1 vs RIPEMD-160: Both 40 hex chars. SHA-1 is far more common. RIPEMD-160 appears in Bitcoin address hashing (combined with SHA-256).
- CRC32 vs Adler32: Both 8 hex chars. CRC32 is more common in ZIP files and network protocols. Adler32 appears in zlib compression.
The Hash Identifier handles overlapping cases by scoring multiple factors: exact length match, regex pattern match, and a bonus for combined matching. The highest score is your best guess.
What the Tool Cannot Do
Hash identification is pattern-based, so there are limitations:
- Salted hashes look identical to unsalted ones — the tool cannot detect if a salt was used.
- Custom algorithms with no public pattern will not match any known type.
- Encoded data (Base64, hex) may match multiple generic patterns — context matters.
- Collisions: an MD5 hash and an NTLM hash can be identical in format. The tool cannot distinguish them without knowing the source.
Always combine tool output with contextual knowledge: Where did you find the hash? What system generated it? What format does the application expect?
Conclusion
Hash identification is a fundamental skill for security researchers, penetration testers, and CTF players. By analyzing length, prefix, and character set, you can narrow down 40+ hash types in seconds.
The Hash Identifier gives you an instant, client-side match with confidence scoring — no data leaves your machine, no terminal commands needed.
Try it with your own hashes:
Identify any hash:
Published May 28, 2026 · Practical Guide · SecuriTool
Top comments (0)