Identify the algorithm of a hash
- Dashboard
- Documentation
- API
What is a cryptographic hash?
A hash (or cryptographic fingerprint) is the result of a function that turns an arbitrarily sized input (a password, a file, a string) into a fixed-size string. This function is one-way: from a hash, it is mathematically infeasible to recover the original input. Two identical inputs always produce the same hash, but the smallest change in the input completely changes the result.
Our tool identifies the likely algorithm of a hash from its format, and attempts a lookup against a dictionary of ultra-common passwords precomputed against the main algorithms.
How do I identify a hash?
Identification rests on three clues:
- Length: each algorithm produces a fixed-size fingerprint.
- Format: pure hexadecimal, Base64, or Modular Crypt Format with specific prefixes.
- Prefix: modern password hashes follow the
$id$params$salt$hashformat, whereidunambiguously identifies the function used.
Common hexadecimal lengths
- 8 characters: CRC32 (checksum, not a cryptographic hash)
- 32 characters: MD5, MD4, NTLM, RIPEMD-128
- 40 characters: SHA-1, RIPEMD-160
- 64 characters: SHA-256, SHA3-256
- 96 characters: SHA-384, SHA3-384
- 128 characters: SHA-512, SHA3-512, Whirlpool
Length alone is not enough to conclude: MD5 and NTLM share the same 32-hex-character size, for example. Our tool then returns the list of possible algorithms.
Modular Crypt Format prefixes
Password hashes from crypt() or modern libraries use an
explicit prefix:
$1$: MD5 crypt$5$: SHA-256 crypt$6$: SHA-512 crypt$2y$,$2a$,$2b$: Bcrypt (variants depending on the platform)$argon2i$,$argon2id$,$argon2d$: Argon2 (usage variants, Argon2id being recommended today)
Example of a Bcrypt hash
$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
Use cases
- Data breach analysis: identify the algorithm used by a compromised database to assess attack difficulty.
- Debugging: quickly confirm which algorithm generated a fingerprint found in an API response or a log.
- Security audit: spot a system still storing passwords in MD5 or SHA-1 (to be banned).
- Forensics: characterise an artefact in an investigation.
Why a hash is not reversible
A hash function is designed to be one-way. No "hash decryption" algorithm exists, because a hash is not encryption: it is a projection. Multiple different inputs can in theory produce the same hash (collision), so even knowing an input that produces the right hash, you have no guarantee it is the original input.
In practice, "cracking" a hash means massively testing candidate inputs until finding one whose fingerprint matches. This is what dictionary and brute-force attacks do.
Built-in dictionary lookup
Our tool includes a mini-dictionary of 39 ultra-common passwords:
empty string, password, admin, 123456, qwerty,
letmein, etc. These 39 entries are precomputed against 10 algorithms
(MD5, SHA-1, SHA-256, SHA-512, MD4, NTLM, etc.). If your hash matches one of these fingerprints,
the tool returns the password in clear.
This feature illustrates why simple hashes are not suited to passwords: an attacker does not even need to compute, they just consult a table.
Simple hash vs password hash
Not all hashes are equal for storing passwords:
- Simple hashes (MD5, SHA-256, SHA-512): designed to be fast, which is a flaw when you want to resist a brute-force attack. They do not include a salt by default, so two users with the same password will have the same hash, exposing them to precomputed-table (rainbow table) attacks.
- Password hashes (bcrypt, scrypt, Argon2): designed to be slow by construction, integrate a random salt and a configurable cost factor. Argon2id is today the state of the art recommended by OWASP.
How to use the tool
- Paste the hash into the input field.
- The tool detects the format (length, prefix) and proposes the possible algorithms.
- If the hash matches an ultra-common password, the cleartext word displays.
- Otherwise, you get the list of candidate algorithms to explore further with a dedicated tool.
Frequently asked questions
Why is my bcrypt hash not matched against the dictionary?
Bcrypt uses a unique random salt per hash: even with the password password,
each user produces a different hash. Dictionary precomputation therefore does not work.
That is precisely the property that makes bcrypt resistant to table-based attacks.
What if several algorithms are possible for the same length?
Cross-reference with other clues: the source of the hash (Active Directory points to NTLM, Linux
/etc/shadow to SHA-512 crypt, an old MySQL database to MD5, etc.), and the
application context. At equal length, MD5 remains statistically the most likely on
old systems.
How do I "crack" a hash in practice?
For legitimate security tests (audit, pentest), the standard tools are John the Ripper and hashcat. They accept massive wordlists (rockyou, etc.) and leverage GPUs to test billions of candidates per second. Feasibility depends on the algorithm: MD5 and SHA-1 give way quickly, bcrypt and Argon2 slow the attack by several orders of magnitude.
Is the built-in dictionary browsable?
The dictionary is intentionally minimal (39 entries) and is there to illustrate the weakness of simple hashes on trivial passwords. For serious coverage, use an external wordlist (rockyou, SecLists) with John the Ripper or hashcat.
Can a hash be "decoded"?
No. A hash is not encryption: there is no inverse function. Any site that promises to "decode a hash" actually performs a lookup in a precomputed database. If your password is unique and long, it is not in there.
Example request
curl -X POST https://cdrn.fr/api/v1/tools/hash-identifier/execute \
-H "Content-Type: application/json" \
-d '{"hash":"..."}'Input schema
| Field | Type | Required | Default |
|---|---|---|---|
hash |
text | ✓ | – |
Endpoints
GET https://cdrn.fr/api/v1/tools- lists every available toolGET https://cdrn.fr/api/v1/tools/hash-identifier- returns the schema for this toolPOST https://cdrn.fr/api/v1/tools/hash-identifier/execute- runs this tool with a JSON payload