Ecosystem · Hash identification
Hash identifiers
You found a hash in a database dump, a CTF, or a forensic image and you want to know what algorithm produced it. A hash identifier scores candidate algorithms based on length, character set, leading prefixes, and family-specific markers ($2b$ for bcrypt, $argon2id$ for Argon2, etc.).
The three commonly used identifiers
hashid (psypanda)
- github.com/psypanda/hashID
- Python; classifies a hash against 200+ patterns.
- Output: ordered list of candidate algorithms with Hashcat / John modes.
- Usage:
hashid <hash_string>
name-that-hash (HashPals)
- github.com/HashPals/Name-That-Hash
- Modern Python rewrite; cleaner output, JSON mode, popularity-ranked candidates.
- Distinguishes “definite” from “maybe” matches.
hash-identifier (Zion3R)
- The original interactive Python tool from 2010s.
- Smaller pattern set, mostly superseded by hashid / name-that-hash.
What identifiers can and can’t do
- Length-based classification works. 32 hex chars → MD5 or NTLM (same length, different algorithm); 40 → SHA-1 or RIPEMD-160; 64 → SHA-256 or SHA3-256; 128 → SHA-512 or BLAKE2b-512 or Whirlpool.
- Prefix-based classification is decisive. Modern password hashes carry algorithm identifiers (
$2b$,$6$,$argon2id$) that uniquely identify the function. - Within a length, identifiers guess. MD5 and NTLM both produce 32 hex chars; HMAC-MD5 also does. Identifiers rank by frequency, but only context (where the hash came from) settles the question.
- Non-cryptographic hashes are easy to miss. A 16-hex-char string could be a Murmur, an xxHash64, or a CRC64. Identifiers tend to assume cryptographic intent.
Manual identification heuristics
| Hex length | Likely algorithm |
|---|---|
| 8 | CRC32 / Adler-32 / Murmur32 |
| 16 | CRC64 / Murmur64 / xxHash64 / SipHash-2-4 |
| 32 | MD5 / NTLM / HMAC-MD5 |
| 40 | SHA-1 / RIPEMD-160 / HMAC-SHA-1 |
| 56 | SHA-224 / SHA3-224 |
| 64 | SHA-256 / SHA3-256 / BLAKE2s / BLAKE3 |
| 96 | SHA-384 / SHA3-384 |
| 128 | SHA-512 / SHA3-512 / BLAKE2b-512 / Whirlpool |
| 60 (ASCII) | bcrypt ($2b$ prefix) |
Why hash modes (Hashcat -m) are part of the output
Identifiers print Hashcat’s -m numbers alongside algorithm names so the typical pipeline becomes:
hashid '$2b$12$ABC...'
# -> bcrypt (-m 3200)
hashcat -m 3200 hashes.txt wordlist.txt