Cyber Security • RF • Conversions
Back to blogcyber security

How to identify an unknown hash quickly

Learn a practical workflow for identifying unknown hash formats using length, character set, prefixes, separators, and common false positives.

Published Jan 17, 2026Updated Jun 30, 20267 min read
Hash identifier guide showing length and character set clues

The fast method

Most unknown hashes can be narrowed down by checking length, character set, and format clues. You may not identify the exact algorithm every time, but you can usually build a short list of likely candidates.

Start with the Hash Identifier tool, then use the checks below to understand why a match appears.

Step 1: Count the characters

Length is the first clue.

LengthCommon possibility
32 hex charactersMD5, NTLM, some truncated hashes
40 hex charactersSHA-1
56 hex charactersSHA-224
64 hex charactersSHA-256, SHA3-256, BLAKE2 variants
96 hex charactersSHA-384
128 hex charactersSHA-512

Length alone is not proof. Several algorithms can produce the same length, and developers sometimes truncate hashes.

Step 2: Check the character set

Look at which characters appear:

  • Hex hashes use 0-9 and a-f.
  • Base64-like values may include uppercase, lowercase, digits, +, /, and =.
  • Modular crypt formats often include $ separators.
  • bcrypt hashes often start with $2a$, $2b$, or $2y$.

If a value contains characters outside hex, it is not a plain hex-encoded MD5, SHA-1, or SHA-256 hash.

Step 3: Look for prefixes and separators

Some hashes carry metadata:

  • $2b$12$... usually points to bcrypt.
  • $argon2id$... points to Argon2id.
  • {SHA} or {SSHA} may appear in LDAP-style storage.
  • Salted formats may include hash:salt, salt:hash, or multiple $ fields.

These markers are often more useful than length.

Step 4: Beware false matches

A 32-character hex string is not automatically MD5. It could be:

  • NTLM
  • A random API key
  • A truncated SHA-256 value
  • A database identifier
  • Encrypted or encoded data that only looks like a hash

Always treat hash identification as a probability, not a guarantee.

Step 5: Verify with a known sample

If you control the original input, hash the same input with likely algorithms and compare outputs. For SHA-256, use the SHA-256 generator. If the result matches, you have strong evidence.

FAQ

Can a hash identifier recover the original password?

No. A hash identifier only guesses the likely algorithm or format. Recovering the original input is a separate cracking problem and may be impossible.

Why do several algorithms appear as candidates?

Many algorithms share output length and character sets. A good identifier should rank candidates and explain why each one matched.

Should I paste real password hashes into online tools?

Avoid pasting sensitive production hashes into public tools. Use test values or local/internal tooling for real incident response.