How to Identify Hash Types: A Step-by-Step Guide

May 28, 20268 min read

When you encounter an unfamiliar string of characters during a penetration test or a CTF challenge, the first question is always: what type of hash is this? Identifying the hash type determines which cracking tool to use, what attack vectors apply, and how much effort it will take to reverse it.

This guide shows you how to identify 40+ hash types by analyzing their length, character set, and prefix patterns using the Hash Identifier from SecuriTool — all in your browser, no data sent to any server.

Open the Hash Identifier in another tab while you read:

Hash Identifier →

How Hash Identification Works

Hash identification relies on three characteristics:

Clue	What It Tells You	Example
Length	Number of characters in the hex/base64 string	32 chars → MD4/MD5/NTLM
Character set	Hex (0-9a-f), Base64 (A-Za-z0-9+/), or custom	Hex 40 chars → SHA-1
Prefix / Format	Special markers like $2y$ , $6$ , `{SSHA}`	$2y$ → bcrypt

The Hash Identifier applies pattern matching across all three dimensions and returns a confidence score for each possible match.

Step 1: Paste the Hash

Go to the Hash Identifier page. Paste your unknown string into the text area and click Identify.

The tool processes everything client-side — your hash never leaves your browser.

Step 2: Read the Results

The output lists possible matches sorted by confidence score, with a visual progress bar:

→ bcrypt (60 chars) ████████░░ 86%
  Unix SHA-512 (crypt) (106 chars) ██████░░░░ 62%
  SHA-512 (128 chars) █████░░░░░ 50%

The arrow marks the best match. The percentage reflects how well the hash matches all detection criteria (length, regex pattern, and prefix).

Step 3: Identify by Length

Hash length is the fastest way to narrow down possibilities. Here is a quick reference:

Length (hex)	Likely Hash Types	Use Case
`8`	CRC32, Adler32	Checksums, error detection
`16`	MySQL ≤ 4.1	Legacy MySQL password hashes
`32`	MD4, MD5, NTLM, LM, RIPEMD-128	Legacy auth, Windows passwords
`40`	SHA-1, RIPEMD-160, PBKDF2-HMAC-SHA1	Git commits, SSL certs, legacy APIs
`56`	SHA-224, SHA3-224, SHA-512/224	FIPS compliance, blockchain
`64`	SHA-256, SHA3-256, RIPEMD-256, GOST 256, PBKDF2-HMAC-SHA256	Modern applications, TLS, Bitcoin
`96`	SHA-384, SHA3-384	High-security, gov standards
`128`	SHA-512, SHA3-512, Whirlpool, GOST 512	Maximum security, DNSSEC

Step 4: Identify by Prefix

Password hashing algorithms use distinctive prefixes that make them instantly recognizable:

Prefix	Hash Type	Format Example
$2y$ , $2a$ , $2b$	bcrypt	`$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy`
$6$	Unix SHA-512 crypt	`$6$rounds=1000$salt$hash`
$5$	Unix SHA-256 crypt	`$5$rounds=5000$salt$hash`
$1$	Unix MD5 crypt	`$1$salt$hash`
`$argon2`	Argon2	`$argon2id$v=19$m=65536,t=3,p=4$...$...`
$SHA$	bcrypt (SHA-256 variant)	`$SHA$salt$hash`
`scrypt:`	scrypt	`scrypt:16384:8:1$...$...`
`*` (leading asterisk)	MySQL 5+	`*6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4`
`0x`	Ethereum address	`0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18`

Step 5: Read a Real-World Example

Let us identify this hash:

$2y$12$LJ3m4ys3Lk0TSwHnbfOMiOXPm1Qm0M0v0M.0M0M0M0M0M0M0M0M0M0

Step 1: Length is 60 characters — too short for SHA-512 (128), too long for MD5 (32).

Step 2: Contains $2y$ prefix followed by two cost digits 12$.

Step 3: Uses A-Za-z0-9./ character set (Base64 variant).

Result: bcrypt with cost factor 12. Used by most modern web frameworks for password storage (Rails, Django, Node.js, PHP).

Quick Reference: Common Hash Patterns

Password hashes (modern):
$2y$10$... → bcrypt · $argon2id$... → Argon2id · $6$... → SHA-512 crypt

Windows authentication:
32-char hex → NTLM (aad3b435b51404eeaad3b435b51404ee)
32-char uppercase hex → LM hash

Web frameworks:
32-char hex → MD5 (WordPress, Joomla, vBulletin legacy)
40-char hex → SHA-1 (GitHub, Docker hub)

Blockchain / Crypto:
64-char hex → SHA-256 (Bitcoin)
1 or 3 followed by 25-34 chars → Bitcoin address
0x + 40 hex → Ethereum address

When Lengths Overlap

Some hash lengths map to multiple types. A 32-character hex string could be MD4, MD5, NTLM, LM, or RIPEMD-128. Here is how to disambiguate:

MD5 vs NTLM: Both are 32 hex chars. NTLM hashes are Windows domain hashes, typically extracted from a Domain Controller or SAM file. MD5 is used in Linux /etc/shadow (old), WordPress, and Joomla.
SHA-1 vs RIPEMD-160: Both 40 hex chars. SHA-1 is far more common. RIPEMD-160 appears in Bitcoin address hashing (combined with SHA-256).
CRC32 vs Adler32: Both 8 hex chars. CRC32 is more common in ZIP files and network protocols. Adler32 appears in zlib compression.

The Hash Identifier handles overlapping cases by scoring multiple factors: exact length match, regex pattern match, and a bonus for combined matching. The highest score is your best guess.

What the Tool Cannot Do

Hash identification is pattern-based, so there are limitations:

Salted hashes look identical to unsalted ones — the tool cannot detect if a salt was used.
Custom algorithms with no public pattern will not match any known type.
Encoded data (Base64, hex) may match multiple generic patterns — context matters.
Collisions: an MD5 hash and an NTLM hash can be identical in format. The tool cannot distinguish them without knowing the source.

Always combine tool output with contextual knowledge: Where did you find the hash? What system generated it? What format does the application expect?

Conclusion

Hash identification is a fundamental skill for security researchers, penetration testers, and CTF players. By analyzing length, prefix, and character set, you can narrow down 40+ hash types in seconds.

The Hash Identifier gives you an instant, client-side match with confidence scoring — no data leaves your machine, no terminal commands needed.

Try it with your own hashes:

Identify any hash:

Hash Identifier →

Published May 28, 2026 · Practical Guide · SecuriTool