Hash Identifier — Detect MD5, SHA, bcrypt & Argon2

Incident responders classify leaked columns as fast hashes vs slow KDFs to prioritize rotation urgency. Developers confirm test fixtures use expected algorithms. Auditors trace legacy systems still emitting MD5 checksums.

Identification is heuristic — collision of hex lengths means SHA-256 and truncated SHA-512 could theoretically confuse length-only rules. Prefix patterns disambiguate salted formats like bcrypt.

Digests and password hashes pasted into online tools have leaked secrets in past breaches of shady sites. Our identifier never transmits your input — processing stays in tab memory.

Treat unknown hashes as sensitive — they may be crackable offline if derived from weak passwords.

Pure hexadecimal strings map to bit length divided by four characters. Thirty-two chars equals 128-bit MD5. Forty equals SHA-1. Sixty-four equals SHA-256. One hundred twenty-eight equals SHA-512.

When only length matches and multiple types share hex encoding, confidence drops to medium — use contextual clues like source system age and field width in schemas.

bcrypt strings include $2a$, $2b$, or $2y$ cost markers and twenty-two character salt segments. Argon2 encodes variant (id, i, d) in the prefix with embedded cost parameters.

These formats receive high confidence single-match identification because prefixes are distinctive.

High: exactly one algorithm matched. Medium: multiple candidates, typically hex length collisions between unrelated algorithms. Low: no pattern fit — may be hex-encoded binary, CRC, or proprietary format.

Low confidence does not mean invalid — extend analysis with source code review.

We do not crack hashes or verify against wordlists. Truncated digests lose distinguishing length. Base64-encoded hashes are not parsed — decode externally first if needed.

HMAC outputs resemble bare hashes — context must distinguish keyed from unkeyed digests.

Identify type, then choose cracking strategy: fast hashes warrant immediate password reset campaigns; bcrypt leaks still require rotation but buy time. Document algorithm in ticket for legal and compliance trails.

Pair with password strength meter messaging when forcing user resets after identification confirms weak KDF absent.

Confirm migration scripts transformed MD5 columns to bcrypt with new prefix patterns visible in staging dumps. Validate log redaction removed full hashes but left identifiable prefixes for debugging.

Unit tests paste known vectors to ensure identifier regresses correctly on format changes.

Random hex tokens that are API keys not hashes — length may mimic SHA-256. UUIDs without dashes resemble MD5. Always combine tool output with where the string appeared.

Multiple concatenated hashes pasted as one string fail format rules — split and retry.

Only analyze hashes you own or are authorized to investigate. Unauthorized cracking of third-party credentials violates computer fraud laws in many jurisdictions.

Identification is read-only classification — still handle leaked hash lists under data breach procedures.