Hash Identifier
Identify hash types (MD5, SHA-1, SHA-256, bcrypt, etc.)
Understanding Hash Functions
Hash functions are one-way mathematical algorithms that convert data of any size into a fixed-size string of characters. They are fundamental to cryptography, data integrity, and password storage.
Properties of Good Hash Functions
- Deterministic: Same input always produces same output
- Fast to compute: Quick to calculate hash value
- Pre-image resistance: Hard to reverse (one-way)
- Small changes cascade: Minor input change = completely different hash
- Collision resistant: Hard to find two inputs with same hash
Common Hash Algorithms
MD5 (Message Digest 5)
- Length: 32 hexadecimal characters (128 bits)
- Status: Broken - DO NOT USE for security
- Use case: Checksums only (not security)
- Vulnerability: Collision attacks demonstrated
SHA-1 (Secure Hash Algorithm 1)
- Length: 40 hexadecimal characters (160 bits)
- Status: Broken - deprecated
- Use case: Git commits (legacy), avoid for new systems
- Vulnerability: Collision attacks possible
SHA-256 (SHA-2 family)
- Length: 64 hexadecimal characters (256 bits)
- Status: Secure - widely recommended
- Use case: Certificates, blockchain, data integrity
- Security: No known practical attacks
SHA-512 (SHA-2 family)
- Length: 128 hexadecimal characters (512 bits)
- Status: Secure - high security
- Use case: High-security applications
- Security: Higher security margin than SHA-256
bcrypt
- Format: $2a$10$... (includes salt and cost)
- Status: Secure - recommended for passwords
- Use case: Password hashing
- Features: Adaptive, resistant to brute-force
Argon2
- Format: $argon2i$... or $argon2id$...
- Status: Most secure - winner of Password Hashing Competition
- Use case: Password hashing (recommended)
- Features: Memory-hard, GPU-resistant
Hash Types by Purpose
Cryptographic Hashes (Data Integrity)
| Algorithm | Security | Recommendation |
|---|---|---|
| MD5 | Broken | Never use |
| SHA-1 | Broken | Migrate away |
| SHA-256 | Strong | Recommended |
| SHA-512 | Very Strong | High security |
| SHA-3 | Strong | Modern alternative |
Password Hashing
| Algorithm | Security | Recommendation |
|---|---|---|
| MD5/SHA-1 (no salt) | Insecure | Never use |
| PBKDF2 | Acceptable | If others unavailable |
| bcrypt | Strong | Recommended |
| scrypt | Strong | Good choice |
| Argon2 | Excellent | Best choice |
Security Considerations
Don't Use Fast Hashes for Passwords
Never use MD5, SHA-1, or SHA-256 directly for password storage. These are designed to be fast, making them vulnerable to brute-force attacks. Use purpose-built password hashing functions like bcrypt or Argon2.
Always Use Salt
Salt is random data added to passwords before hashing to prevent rainbow table attacks:
- Unique salt for each password
- At least 16 bytes (128 bits) of random data
- Store salt alongside hash (it's not secret)
Use Adaptive Cost Factor
Modern password hashing functions allow configurable work factors:
- bcrypt: Cost factor 12-14 (2^12 to 2^14 iterations)
- Argon2: Memory cost, time cost, parallelism
- Adjust over time as hardware improves
Identifying Unknown Hashes
By Length (Hexadecimal)
- 32 chars: MD5 or NTLM
- 40 chars: SHA-1
- 56 chars: SHA-224
- 64 chars: SHA-256, SHA3-256
- 96 chars: SHA-384
- 128 chars: SHA-512
By Format Prefix
- $1$: MD5 crypt
- $2a$, $2b$, $2y$: bcrypt
- $5$: SHA-256 crypt
- $6$: SHA-512 crypt
- $argon2: Argon2
- $pbkdf2: PBKDF2
Recommended Algorithms
Password Hashing
- Argon2id (best)
- bcrypt
- scrypt
Data Integrity
- SHA-256
- SHA-512
- SHA-3
Avoid These
- MD5 (broken)
- SHA-1 (broken)
- Plain passwords
- Unsalted hashes
- Fast hashes for passwords
Quick Reference
Hash Length Guide
- MD5: 128 bits (32 hex)
- SHA-1: 160 bits (40 hex)
- SHA-256: 256 bits (64 hex)
- SHA-512: 512 bits (128 hex)
bcrypt Format
$2a$10$salt+hash
$2a = variant, 10 = cost