You've got a hash. It's a long string of hex characters, or maybe it has a weird prefix like $2b$. You need to know what algorithm created it — for a CTF challenge, a security audit, password recovery, or just curiosity.
Here's the definitive guide to identifying any hash type by its length, character set, and format.
What Is a Hash?
A hash is a fixed-length string produced by a one-way mathematical function. Feed any input — a password, a file, a message — into a hashing algorithm and you get a unique fingerprint of a fixed size. The same input always produces the same output, but you can't reverse the process to recover the original input.
Hash functions are used everywhere: storing passwords in databases, verifying file integrity, digital signatures, and data deduplication.
How to Identify a Hash: The Quick Method
The fastest way to identify a hash is by its character count and character set. Most hashes are made up of hexadecimal characters (0–9, a–f), but some algorithms like bcrypt and SHA-512 crypt use a wider Base64 alphabet.
Step 1: Count the characters. Step 2: Note the character set (hex only, or alphanumeric+special). Step 3: Check for a prefix (bcrypt starts with $2b$, SHA-512 crypt starts with $6$).
Or just use our Hash Identifier tool to identify it automatically.
Hash Identification Reference Table
| Hash Type | Length | Character Set | Prefix / Notes |
|---|---|---|---|
| MD5 | 32 | Hex (0-9, a-f) | No prefix |
| SHA-1 | 40 | Hex | No prefix |
| SHA-224 | 56 | Hex | No prefix |
| SHA-256 | 64 | Hex | No prefix |
| SHA-384 | 96 | Hex | No prefix |
| SHA-512 | 128 | Hex | No prefix |
| SHA3-256 | 64 | Hex | Indistinguishable from SHA-256 by length |
| SHA3-512 | 128 | Hex | Indistinguishable from SHA-512 by length |
| NTLM | 32 | Hex | Same length as MD5 — context matters |
| MySQL 4.1+ | 40 | Hex | Sometimes prefixed with * |
| bcrypt | 60 | Base64 alphabet | Starts with $2a$, $2b$, or $2y$ |
| SHA-512 Crypt | 106 | Base64 alphabet | Starts with $6$ |
| SHA-256 Crypt | 63 | Base64 alphabet | Starts with $5$ |
| MD5 Crypt | 34 | Base64 alphabet | Starts with $1$ |
| Argon2 | Variable | Base64 + $ |
Starts with $argon2id$ or $argon2i$ |
| scrypt | Variable | Base64 + $ |
Starts with $s0$ |
| PBKDF2 | Variable | Base64 or Hex | Often prefixed with pbkdf2_sha256$ |
| LM Hash | 32 | Hex | Windows legacy — two 16-char halves |
| CRC32 | 8 | Hex | Very short — 4 bytes |
| Whirlpool | 128 | Hex | Less common |
| RIPEMD-160 | 40 | Hex | Same length as SHA-1 |
| Adler-32 | 8 | Hex | Checksum, not a cryptographic hash |
Identifying the Most Common Hashes
MD5 (32 hex characters)
5f4dcc3b5aa765d61d8327deb882cf99MD5 is the most common hash you'll encounter. 32 lowercase hex characters, no prefix. It was widely used for password storage but is now considered cryptographically broken — it's fast to compute, which makes brute-force attacks trivial.
Common in: Legacy web apps, file checksums, CTF challenges, database password dumps.
Limitation: MD5 and NTLM are both 32 hex characters. If you find a 32-char hash from a Windows system, it's probably NTLM. From a web app, it's likely MD5.
SHA-1 (40 hex characters)
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd840 hex characters. Deprecated for most security uses since 2017 but still common in older systems, Git commits, SSL certificates (legacy), and file checksums.
Common in: Git object IDs, older SSL certs, file verification tools.
SHA-256 (64 hex characters)
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8The current standard for most applications. 64 hex characters. Used in Bitcoin (double SHA-256), JWT signatures, modern password storage wrappers, and TLS.
Common in: Blockchain, API signatures, password storage (often wrapped in PBKDF2 or HMAC), file integrity verification.
SHA-512 (128 hex characters)
b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86128 hex characters. Stronger but slower than SHA-256. Used in some Linux password hashing (/etc/shadow) and high-security applications.
bcrypt (60 characters, Base64-like)
$2b$12$EixZaYVK1fsbw1ZfbX3OXePaWxn96p36WQoeG6Lruj3vjPGga31lWThe most recognizable hash format because of its structured prefix:
$2b$(or$2a$,$2y$) — algorithm version12— cost factor (work factor), how many rounds- Everything after — 53-character salt + hash combined
bcrypt is deliberately slow. You can't speed it up with a GPU — which is why it's the right choice for password hashing. If you see a 60-character string starting with $2, it's bcrypt.
Common in: PHP apps (password_hash()), Ruby on Rails, most modern web frameworks.
NTLM (32 hex characters)
b4b9b02e6f09a9bd760f388b67351e2bVisually identical to MD5 — 32 lowercase hex characters. NTLM is Windows' legacy authentication hash. If you're doing CTF or pentesting Windows systems, these will appear frequently.
How to tell MD5 from NTLM: Context. NTLM comes from Windows SAM databases, Active Directory, or tools like Mimikatz. MD5 typically comes from web application databases.
Argon2 (variable length, structured prefix)
$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObGThe 2015 Password Hashing Competition winner. Designed to be memory-hard, making it resistant to GPU and ASIC-based attacks. Modern frameworks (Django 4+, PHP 8.1+ native) are adopting Argon2id.
Prefix breakdown: $argon2id$ = variant, v=19 = version, m=65536 = memory cost, t=3 = time cost, p=4 = parallelism.
How to Identify a Hash When Length Alone Isn't Enough
Some hashes have identical lengths and character sets:
| Collision | How to Distinguish |
|---|---|
| MD5 vs NTLM (32 hex) | Source context — Windows = NTLM, web DB = MD5 |
| SHA-1 vs RIPEMD-160 (40 hex) | RIPEMD-160 is much rarer; SHA-1 is the safe guess |
| SHA-256 vs SHA3-256 (64 hex) | Need algorithm metadata or tooling |
| SHA-512 vs SHA3-512 vs Whirlpool (128 hex) | Need context or hash-id tool |
When length alone can't resolve it, you need to:
- Check the source system (OS, app framework, database)
- Try cracking against a known value to confirm the algorithm
- Use a hash identifier tool that tests multiple algorithms
Using a Hash Identifier Tool
Rather than manually counting characters, use our Hash Identifier — paste in any hash and it will:
- Match the length and character set against all known algorithms
- Highlight the most likely candidates
- Flag prefixed formats (bcrypt, SHA-crypt, Argon2) automatically
This is especially useful for CTF challenges where you encounter unfamiliar hash formats or need to process multiple hashes quickly.
Real-World Scenarios
Scenario 1: You have a database dump
You find a users table with a password column containing 60-character strings starting with $2b$. These are bcrypt hashes. Modern and properly implemented — cracking them is computationally expensive.
Scenario 2: CTF challenge — you find a hash file
098f6bcd4621d373cade4e832627b4f632 hex characters → MD5. The string test hashes to this value in MD5. A quick wordlist attack with hashcat or john will crack common passwords instantly.
hashcat -m 0 -a 0 hash.txt wordlist.txtMode -m 0 is MD5. If it were SHA-1, use -m 100. SHA-256 is -m 1400.
Scenario 3: Linux /etc/shadow
$6$rounds=5000$usesomesalt$IxDD3jerizQ5s/bS3FbSsO6hMGFjfSKNBWENHyJ7FXKC4XiuT3pOlLGEBpRiuJ3QGJlyXfS4uNIaVpqEcF2b.Starts with $6$ → SHA-512 crypt. The format is: $id$salt$hash where id=6 means SHA-512.
| ID | Algorithm |
|---|---|
$1$ |
MD5 crypt |
$5$ |
SHA-256 crypt |
$6$ |
SHA-512 crypt |
$y$ |
yescrypt |
$2b$ |
bcrypt |
Hashcat Mode Reference
If you're cracking hashes (on systems you're authorized to test), here are the hashcat modes for the most common types:
| Hash Type | Hashcat Mode |
|---|---|
| MD5 | 0 |
| SHA-1 | 100 |
| SHA-256 | 1400 |
| SHA-512 | 1700 |
| NTLM | 1000 |
| bcrypt | 3200 |
| SHA-512 Crypt ($6$) | 1800 |
| MySQL 4.1+ | 300 |
| WPA/WPA2 | 2500 |
Quick Identification Cheatsheet
- 8 chars, hex → CRC32 or Adler-32 (checksum, not crypto)
- 32 chars, hex → MD5 or NTLM
- 40 chars, hex → SHA-1 or RIPEMD-160
- 56 chars, hex → SHA-224
- 64 chars, hex → SHA-256 or SHA3-256
- 96 chars, hex → SHA-384
- 128 chars, hex → SHA-512, SHA3-512, or Whirlpool
- 60 chars, starts with
$2→ bcrypt - Starts with
$1$→ MD5 crypt - Starts with
$5$→ SHA-256 crypt - Starts with
$6$→ SHA-512 crypt - Starts with
$argon2→ Argon2 - Starts with
pbkdf2_→ PBKDF2
Identify Your Hash Now
Use our free Hash Identifier tool — paste any hash and get an instant identification with confidence scores and likely algorithms.
Related tools and guides: