Hash identifier

Paste a hash and see which algorithms could have produced it — by length, charset and format, with the ambiguity stated honestly. Runs in your browser.

paste a hash above — results appear as you type


What can — and can't — be identified

A raw digest is just bytes; it carries no label. So for hex strings, the length is the evidence: 32 characters points at MD5, 40 at SHA-1, and so on. But several algorithms share lengths — a 64-character hash is equally SHA-256, SHA3-256 or BLAKE3, and nothing in the string itself can settle it. This tool lists all the candidates instead of pretending to certainty; context (the filename SHA256SUMS, the API's documentation) settles the rest. Structured formats are the exception — bcrypt, Argon2 and unix crypt hashes announce themselves in their prefix.

The length table

hex charsbytescandidates
84CRC-32
3216MD5
4020SHA-1
5628SHA-224 · SHA3-224
6432SHA-256 · SHA3-256 · BLAKE3
9648SHA-384 · SHA3-384
12864SHA-512 · SHA3-512

Base64 is the same digests in different clothes — 24, 28, 44 or 88 characters usually ending in =; this tool decodes it and reasons from the byte count.

Password hashes are different animals

Strings like $2b$12$… (bcrypt), $argon2id$… or $6$… (sha512crypt) aren't checksums at all — they're deliberately slow password-storage formats carrying their own salt and cost parameters. Recognizing one tells you what system stored it, not what the password was; there is no "reversing" here, only guessing, which is exactly what those formats exist to make expensive. If what you actually want is to check a file against a published hash, that's the verify tool; for the concepts, see what is a checksum.

questions

Can you really tell the algorithm from the hash itself?

Only partly — and this page is honest about it. A raw hex digest carries no label, so the length is the main clue, and several algorithms share lengths: 64 characters could equally be SHA-256, SHA3-256 or BLAKE3. Formats with structure (bcrypt's $2b$…, Argon2's $argon2id$…) are identifiable with certainty.

Can I reverse a hash to get the original text back?

No. A hash isn't encryption — there's no key and no inverse function. For short, guessable inputs an attacker can precompute tables and look values up, which is why passwords need salted, slow hashes rather than plain MD5 or SHA-256.

What do prefixes like $2b$, $6$ or $argon2id$ mean?

They're password-hash formats (modular crypt format): $2b$ is bcrypt, $6$ is sha512crypt, $argon2id$ is Argon2. The prefix encodes the algorithm plus cost parameters and salt — unlike checksums, which are bare digests.

Why does my "hash" end in one or two = signs?

That's base64 padding — the same digest encoded differently. This page decodes it and infers the algorithm from the byte length: 16 bytes suggests MD5, 32 suggests SHA-256, and so on. Some APIs and webhooks emit base64 where downloads use hex.

It says my string isn't recognized. What could it be?

It may be truncated, a hash type this page doesn't track, an encrypted blob, or just random data. Check for missing characters first — a SHA-256 with one digit lost becomes 63 characters and matches nothing.