Referencia de tipos de hash

A 128-bit MD5 message digest shown as 32 hexadecimal characters. Fast, unsalted, and cryptographically broken — trivially crackable with a GPU.

A 160-bit SHA-1 digest as 40 hex characters. Deprecated for security use; unsalted and fast to brute-force.

A 256-bit SHA-2 digest as 64 hex characters. Strong as a digest but, when unsalted, still brute-forceable for weak passwords.

A 512-bit SHA-2 digest, 128 hex characters. Strong digest; unsalted variants still fall to wordlists.

Salted MD5 in the form hash:salt, with the salt appended to the password before hashing.

Salted MD5 with the salt prepended to the password. Stored as hash:salt.

Salted SHA-1 with the salt appended to the password, stored as hash:salt.

The 128-bit MD4 digest. Obsolete and even weaker than MD5; survives mainly inside NTLM.

Salted SHA-256 with the salt appended to the password, stored as hash:salt.

MD5 applied twice. Common in older PHP apps; offers no real protection over single MD5.

A 224-bit truncated SHA-2 digest, 56 hex characters. Unsalted.

A 384-bit truncated SHA-2 digest, 96 hex characters.

SHA-1 applied twice. Found in some legacy web apps; barely harder than single SHA-1.

An HMAC-SHA1 message authentication code with the salt as the key.

A 256-bit SHA-3/Keccak digest. Used in Ethereum and modern protocols.

A BLAKE2b-512 digest with the $BLAKE2$ prefix. Fast modern hash.

SHA-256 applied twice; appears in some apps and blockchain contexts.

The first 16 hex characters of an MD5 digest. Same length as MySQL323 and Oracle DES hashes.

A 160-bit RIPEMD digest. Used in some crypto/Bitcoin contexts; rendered as 40 hex characters.

A 512-bit SHA-3 digest, 128 hex characters.

Salted SHA-512 with the salt appended to the password, stored as hash:salt.

A 512-bit Whirlpool digest, 128 hex characters — same length as SHA-512.

A 256-bit Keccak digest (used by Ethereum), 64 hex characters — same length as SHA-256.

The Russian GOST 34.11-94 hash, 64 hex characters — same length as SHA-256.

A 512-bit Keccak digest, 128 hex characters — same length as SHA-512/Whirlpool.

A 224-bit SHA-3 digest, 56 hex characters — same length as SHA-224.

A 384-bit SHA-3 digest, 96 hex characters — same length as SHA-384.

A 192-bit Tiger digest, 48 hex characters.

Nested md5(sha1($pass)), 32 hex characters — same length as plain MD5.

A 128-bit RIPEMD digest, 32 hex characters — same length as MD5/NTLM.

Nested sha1(md5($pass)), 40 hex characters — same length as plain SHA-1.

Salted SHA-384 with the salt appended to the password, stored as hash:salt.

The 256-bit Russian GOST R 34.11-2012 (Streebog) digest, 64 hex characters.

The 512-bit Russian GOST R 34.11-2012 (Streebog) digest, 128 hex characters.

A 224-bit Keccak digest (pre-standard SHA-3), 56 hex characters.

A 384-bit Keccak digest (pre-standard SHA-3), 96 hex characters.

An obsolete 128-bit MD2 digest, 32 hex characters. Cryptographically broken.

The NTLM hash Windows stores for local and domain accounts. Unsalted MD4 of the UTF-16 password — recovered fast on GPUs and replayable via pass-the-hash.

Legacy Windows LAN Manager hash. Uppercases the password and splits it into two 7-char halves — crackable in seconds.

Cached domain logon credentials from a Windows machine (PBKDF2 over the NTLM hash). Slow to crack.

Legacy Windows cached domain credentials (MS-Cache v1), salted with the username and stored as hash:username. Fast to crack.

A Windows DPAPI master key (pre-Win10 1607). Recover the user's logon password offline.

A Windows DPAPI master key (Win10 1607+). Recover the user's logon password offline.

MySQL 4.1+ password hash: SHA1(SHA1(pass)) prefixed with '*'. Unsalted and GPU-friendly.

PostgreSQL stores md5(password + username) prefixed with 'md5'. The username is the salt.

Microsoft SQL Server 2012+ password hash — salted SHA-512.

Microsoft SQL Server 2005 password hash — salted SHA-1.

The 16-hex-character hash from MySQL ≤ 4.0. Weak proprietary algorithm, broken in milliseconds.

Oracle 11g password hash — salted SHA-1 with the 'S:' prefix.

The modern PostgreSQL (10+) SCRAM-SHA-256 credential. Iterated PBKDF2 — slower than the legacy md5 scheme.

Microsoft SQL Server 2000 password hash (case-sensitive + case-insensitive SHA-1).

MongoDB SCRAM-SHA-1 credential. Iterated PBKDF2-style; crackable offline.

Oracle 7–10g password hash based on DES; the username acts as the salt.

A Sybase ASE 15+ password hash (salted SHA-256) with a 0xc007 prefix.

NetNTLMv2 challenge/response captured from SMB/LDAP auth (e.g. via Responder). Crackable offline with a wordlist.

A Kerberoast ticket (TGS-REP, RC4/etype 23) dumped from Active Directory. Crack it offline to recover the service account password.

A WPA/WPA2 4-way handshake in the hashcat 22000 (hcxtools) format. Offline dictionary attack against the Wi-Fi PSK.

A WPA/WPA2 PMKID captured from a Wi-Fi access point. Crack the PSK offline with a wordlist.

An AS-REP for an account with pre-auth disabled. Crackable offline to recover the user's password.

Cisco IOS type 7 'encryption' — a trivially reversible Vigenère cipher, not a hash. Decode instantly with any type-7 tool.

Cisco IOS type 5 secret — identical to Unix md5crypt.

NetNTLMv1 challenge/response. Weaker than v2 and downgradeable to DES brute force.

A Kerberos AS-REQ pre-authentication timestamp captured from the wire. Crack offline for the user's password.

Cisco IOS type 8 secret based on PBKDF2-HMAC-SHA256.

Cisco IOS type 9 secret based on the memory-hard scrypt KDF — very slow to crack.

AES-based Kerberos TGS ticket (etype 17/18). Much slower to crack than RC4 etype 23.

An IPMI 2.0 RAKP HMAC-SHA1 hash dumped from a BMC (server lights-out controller). Crackable offline; BMCs often ship weak default passwords.

An MD5 CHAP challenge/response (PPP, iSCSI): response:challenge:id. Crack offline for the secret.

A FortiGate/FortiOS administrator password hash (salted SHA-1 with an AK1 prefix).

A captured SIP (VoIP) digest authentication challenge/response. Crack offline for the SIP password.

A captured SNMPv3 HMAC authentication packet. Crack offline for the SNMP auth password.

An IPsec IKE aggressive-mode PSK handshake (colon-separated hex fields). Use hashcat -m 5300 for MD5 or -m 5400 for SHA1.

A captured CRAM-MD5 (SMTP/IMAP/POP) authentication exchange. Crack offline for the mailbox password.

A bcrypt/Blowfish password hash with a tunable cost factor. Deliberately slow — only short or weak passwords are realistically crackable.

Django's default PBKDF2-HMAC-SHA256 password hash with a high iteration count. Slow to crack by design.

The modern, memory-hard Argon2 KDF (winner of the Password Hashing Competition). Extremely resistant to GPU cracking.

PBKDF2 with HMAC-SHA512. Used by macOS and various password managers; tunable iterations.

The memory-hard scrypt KDF. Resistant to GPU/ASIC cracking by design.

PBKDF2 with HMAC-SHA1 (sha1:iterations:salt:hash). Tunable iterations make it slow.

PBKDF2 with HMAC-MD5 (md5:iterations:salt:hash).

The default Linux /etc/shadow hashing scheme (SHA-512 crypt). Salted with thousands of rounds — slow to crack.

The FreeBSD/Linux md5crypt scheme (1000 MD5 iterations). Salted and slower than raw MD5 but still weak by modern standards.

The SHA-256 crypt(3) scheme used in /etc/shadow. Salted with configurable rounds.

The classic 13-character DES crypt(3) hash. Limited to 8 significant password characters; weak by design.

The modern default /etc/shadow scheme on recent Linux (Debian 11+, Fedora). Memory-hard and very slow to attack.

An AIX salted-MD5 ({smd5}) password hash — md5crypt under the hood.

An AIX salted-SHA1 ({ssha1}) password hash with an iteration count.

An AIX salted-SHA256 ({ssha256}) password hash with an iteration count.

An AIX salted-SHA512 ({ssha512}) password hash with an iteration count.

BSDi extended DES crypt with a variable iteration count.

A macOS 10.4–10.6 password hash: salted SHA-1, 48 hex characters (8 hex salt + 40 hex digest).

A macOS 10.7 Lion password hash: salted SHA-512, 136 hex characters (8 hex salt + 128 hex digest).

The portable phpass hash used by WordPress ($P$) and phpBB3 ($H$). Iterated MD5 — slower than raw MD5 but still crackable.

Apache's md5crypt variant used in .htpasswd files.

An encrypted OpenSSH/PEM private key. Crack the key passphrase offline; mode varies by key type.

Drupal 7's SHA-512-based phpass variant with many iterations.

Base64-encoded salted SHA-1 ({SSHA}) — the default OpenLDAP password scheme.

Legacy Django SHA-1 password hash in algorithm$salt$hash form.

A passphrase-protected GnuPG/OpenPGP secret key. Recover the key passphrase offline.

Joomla legacy password: MD5 of the password concatenated with a salt, stored as hash:salt.

A KeePass database master-key hash. High iteration count makes brute force slow.

Base64-encoded unsalted SHA-1 with a {SHA} prefix, used by LDAP/Netscape directories.

An Ansible Vault encrypted secret (PBKDF2-HMAC-SHA256 + AES-256). Crack the vault password offline.

A Bitwarden password-manager vault (PBKDF2-HMAC-SHA256). Recover the master password offline.

An Apple macOS keychain database. Recover the keychain password offline.

vBulletin password: md5(md5($pass).$salt). Stored as hash:salt.

A 1Password cloud-keychain vault (PBKDF2-HMAC-SHA512). Recover the master password offline.

An Atlassian (Jira/Confluence/Crowd) password hash — PBKDF2-HMAC-SHA1 with the {PKCS5S2} prefix.

An encrypted iOS/iTunes backup from iTunes >= 10 (PBKDF2-HMAC-SHA256, very high iterations).

Base64-encoded salted SHA-256 used by LDAP directories.

Base64-encoded salted SHA-512 used by LDAP directories.

A Telegram Desktop local passcode (PBKDF2-HMAC-SHA1/512). Recover the passcode offline.

Invision Power Board password: md5(md5($salt).md5($pass)).

An encrypted iOS/iTunes backup created by iTunes < 10 (PBKDF2-HMAC-SHA1).

A LastPass vault credential: hash:iterations:email. Recover the master password offline.

A MediaWiki (the wiki engine behind Wikipedia) password hash: md5($salt.md5($pass)) with a $B$ prefix.

A Firefox/Thunderbird master-password key database. Recover the master password offline.

An encrypted PKCS#8 / PEM private key. Recover the key passphrase offline.

An EPiServer (.NET CMS) password hash, version 0 (salted SHA-1).

An EPiServer (.NET CMS) password hash, version 1 (salted SHA-256).

A Java KeyStore (.jks) private-key entry. Recover the keystore password offline.

osCommerce password: md5($salt.$pass) with a 2-char salt.

A Password Safe v3 database (SHA-256, configurable iterations). Recover the master password offline.

A Redmine project-management password: sha1($salt.sha1($pass)), stored as hash:salt.

SAP CODVN B (BCODE) password hash.

SAP CODVN F/G (PASSCODE) password hash based on SHA-1.

A WoltLab Burning Board 3.x forum password: double-salted SHA-1, stored as hash:salt.

An IBM Lotus Notes/Domino 6 account hash (base64 in parentheses). Crack offline for the user password.

An IBM RACF (z/OS mainframe) password hash (DES). Crack offline for the mainframe password.

A signed JSON Web Token. If signed with HMAC (HS256), the secret can be brute-forced offline to forge tokens.

MS Office 2013/2016/2019 document encryption (SHA-512 + AES, 100k iterations). Slow to crack.

Encryption hash from a modern AES-256 PDF (Acrobat X/XI). Slow to crack.

MS Office 2010 document encryption (SHA-1 + AES, 100k iterations).

MS Office 2007 document encryption (SHA-1 + AES, 50k iterations).

Encryption hash extracted from an Acrobat 2–4 PDF. Recover the password offline.

An encrypted OpenDocument (LibreOffice/OpenOffice) file. Recover the document password offline.

An encrypted Apple iWork (Pages/Numbers/Keynote) document. Recover the password offline.

An encrypted ZIP archive hash (WinZip AES or legacy PKZIP). Crack the archive password offline.

A 7-Zip archive hash (AES-256 with many SHA-256 iterations). Slow to crack.

A RAR5 archive password hash (PBKDF2-HMAC-SHA256). Slow to crack.

A RAR3 archive password hash. Slow iterated SHA-1 + AES.

An encrypted Android backup (adb backup) archive. Recover the backup password offline.

An AxCrypt-encrypted file (AES + iterated key wrap). Recover the file password offline.

A password-protected StuffIt5 (.sit) archive. Recover the archive password offline.

A Windows BitLocker volume hash. Memory-hard and extremely slow to attack.

A Linux LUKS full-disk-encryption header. Very slow PBKDF2; only weak passphrases are realistic.

An Android full-disk-encryption footer (Android 4.3+). Recover the device password/PIN offline.

A MetaMask browser-wallet vault (PBKDF2-HMAC-SHA256 + AES-GCM). Recover the wallet password offline.

A Bitcoin/Litecoin Core wallet.dat hash. Recover the wallet passphrase offline.

An Electrum Bitcoin wallet hash. Recover the wallet password offline.

A Blockchain.info My-Wallet backup. Recover the wallet password offline.

An Ethereum keystore (PBKDF2 variant) wallet hash.

An Ethereum keystore (scrypt variant) wallet hash — memory-hard and very slow.

An Ethereum presale wallet hash. Recover the wallet passphrase offline.

A 32-bit CRC checksum, not a cryptographic hash. Used for integrity, trivially collidable.

A 32-bit Adler checksum used by zlib. Not cryptographic.

A 32-bit CRC-32C (Castagnoli) checksum. Not cryptographic.

A 64-bit CRC checksum, 16 hex characters. Not cryptographic.

Not a hash — Base64 is reversible encoding. Decode it directly (e.g. `base64 -d`).