Skip to content
Hash Identifier

Series

Hash formats explained

7 posts in this series. Read them in order or jump to any one.

  1. Is MD5 still worth cracking in 2026?

    MD5 is a fast unsalted digest that still litters real systems. Why cracking it is a preimage guessing game, not a collision, and what defenders should do.

  2. How bcrypt resists GPUs

    Why bcrypt drops cracking throughput from billions to thousands per second: the cost factor, its GPU-hostile key schedule, and the 72-byte truncation gotcha.

  3. What an NTLM hash actually is

    NTLM is the MD4 of a UTF-16LE password: unsalted, fast, password-equivalent. How it differs from NetNTLMv2, where it lives, and why length is the only defence.

  4. sha512crypt and /etc/shadow: how Linux stores your password

    What the $6$ in /etc/shadow means, how sha512crypt rounds and salts work, why it is slower than raw SHA-512 but weaker than bcrypt, and how to crack it.

  5. Argon2 vs bcrypt vs scrypt: picking a password KDF in 2026

    Memory hardness is the real defense against GPUs and ASICs. How argon2id, bcrypt, scrypt and PBKDF2 compare, how to tune them, and which one to actually pick.

  6. Cracking WPA2: the PMKID attack and the 4-way handshake

    Two ways into a WPA2 network: capture the EAPOL handshake or pull a clientless PMKID. How to produce 22000 format and crack it with hashcat, plus why WPA3 resists.

  7. Brute-forcing JWT HS256 secrets with hashcat

    An HS256 token carries everything an attacker needs to verify a guessed secret offline. How weak HMAC keys fall to hashcat -m 16500, and how to forge tokens after.

All posts in this series

Is MD5 still worth cracking in 2026?
MD5 is a fast unsalted digest that still litters real systems. Why cracking it is a preimage guessing game, not a collision, and what defenders should do.
md5hashcatpassword crackinghash formats
How bcrypt resists GPUs
Why bcrypt drops cracking throughput from billions to thousands per second: the cost factor, its GPU-hostile key schedule, and the 72-byte truncation gotcha.
bcrypthashcatpassword crackinghash formats
What an NTLM hash actually is
NTLM is the MD4 of a UTF-16LE password: unsalted, fast, password-equivalent. How it differs from NetNTLMv2, where it lives, and why length is the only defence.
ntlmhashcatactive directoryhash formats
sha512crypt and /etc/shadow: how Linux stores your password
What the $6$ in /etc/shadow means, how sha512crypt rounds and salts work, why it is slower than raw SHA-512 but weaker than bcrypt, and how to crack it.
sha512cryptlinuxetc-shadowhashcat
Argon2 vs bcrypt vs scrypt: picking a password KDF in 2026
Memory hardness is the real defense against GPUs and ASICs. How argon2id, bcrypt, scrypt and PBKDF2 compare, how to tune them, and which one to actually pick.
argon2bcryptscryptpbkdf2
Cracking WPA2: the PMKID attack and the 4-way handshake
Two ways into a WPA2 network: capture the EAPOL handshake or pull a clientless PMKID. How to produce 22000 format and crack it with hashcat, plus why WPA3 resists.
wpa2pmkidhashcatwifi
Brute-forcing JWT HS256 secrets with hashcat
An HS256 token carries everything an attacker needs to verify a guessed secret offline. How weak HMAC keys fall to hashcat -m 16500, and how to forge tokens after.
jwthashcathmacauthentication