Skip to content
Hash Identifier

How to identify an unknown hash: a practical guide

Found a mystery hash? Learn the signals that reveal its type — length, character set and prefixes like $2y$ or $6$ — and how to identify it privately in your browser.

Published on 3 min read
hash identificationhashcatjohn the ripperpassword cracking

A hash on its own is just a string of characters. Before you can audit it, document it or attempt to recover the password behind it, you need to know what kind of hash it is. Hash identification is the process of reading a digest and working out which algorithm produced it. Get it right and every later step is straightforward; get it wrong and your cracking tool will churn forever against the wrong format.

The signals that reveal a hash type

Three properties do most of the work.

Length. A raw hash has a fixed width once it is hex-encoded. A 32-character hex string is almost always MD5; 40 characters points to SHA-1; 64 characters to SHA-256; 128 to SHA-512. NTLM, used by Windows, is also 32 hex characters, which is exactly why length alone is never the final answer.

Character set. Pure hexadecimal (0–9, a–f) suggests a raw digest. A mix of upper- and lower-case letters, digits and + or / suggests Base64 encoding. Dots, dollar signs and colons usually mean a structured, salted format rather than a bare digest.

Prefixes and structure. Modern password hashes announce themselves. A string starting with $2y$, $2a$ or $2b$ is bcrypt. A leading $6$ marks sha512crypt; $1$ marks md5crypt. Three Base64 segments separated by dots are almost certainly a JSON Web Token. These structured strings embed the salt, the cost factor and the digest in one self-describing line.

$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy

The example above is bcrypt: the $2y$ identifier, the 10 cost factor, and the 22-character salt followed by the digest are all visible at a glance.

Identifying a hash without leaking it

Pasting a credential hash into a random website is a real risk — many "hash lookup" sites log everything they receive. This site avoids that entirely. The identifier on the home page runs in WebAssembly inside your browser: the hash is analysed locally and never travels to a server. You get an instant match against dozens of formats with zero exposure.

If you would rather work offline, the same logic underpins the command-line tools. John the Ripper will guess a format automatically, and the identifier here mirrors that behaviour so the result lines up with the tool you will actually use.

What to do once you know the type

Identification is only step one. Once you have a confident match, open the corresponding page in the hash type index to get the ready-to-run commands. Each page lists the correct hashcat -m mode and the John the Ripper format name, so you can move straight to recovery.

From there, the choice of tool matters. Read hashcat vs John the Ripper to decide which engine fits your hardware and workload, and brush up on the wordlist concept before you launch your first attack. Understanding the structure you just identified — especially whether the hash carries a salt — tells you a great deal about how hard the recovery will be.

Related articles

Hashcat vs John the Ripper: which cracker should you use?
A practical comparison of hashcat and John the Ripper — GPU vs CPU strengths, autodetection, -m modes, jumbo formats, wordlists and rules — with example commands.
hashcatjohn the ripperpassword crackingwordlists
Finding the right hashcat -m mode (and what to do when you get it wrong)
Hashcat won't autodetect anything. Here is how to pick the correct -m mode, disambiguate look-alike hashes, and read the errors that mean you chose wrong.
hashcathash identificationpassword crackingntlm
Why fast hashes are dangerous for password storage
MD5 and SHA-1 fall to a GPU in seconds because they are fast and often unsalted. Learn why slow KDFs like bcrypt and Argon2 resist — and what defenders should do.
hashcatjohn the ripperpassword crackingbcrypt