Hash Identification: How to Tell SHA-256 from MD5 at a Glance

Why Hash Identification Matters

When you encounter a hash string — in a database, a log file, a config file, or a CTF challenge — you need to know what algorithm produced it before you can do anything useful with it. You cannot verify it, crack it, or reproduce it without knowing the algorithm.

Fortunately, most hash algorithms have distinctive signatures: characteristic length, character set, and format. With practice, you can identify the most common ones at a glance.

The Quick Reference Guide

Hash type	Length (chars)	Character set	Example prefix
MD5	32	Hex (0-9, a-f)	(none)
SHA-1	40	Hex	(none)
SHA-224	56	Hex	(none)
SHA-256	64	Hex	(none)
SHA-384	96	Hex	(none)
SHA-512	128	Hex	(none)
bcrypt	60	Base64-like	$2b$ or $2a$
Argon2	Variable	Encoded	`$argon2`
PBKDF2	Variable	Base64 or hex	(varies)
CRC32	8	Hex	(none)
NTLM	32	Hex	(none, same as MD5)

Identifying by Length

Length is the fastest way to narrow down the algorithm, because the output length is fixed per algorithm:

32 hex characters (128 bits)

Could be: MD5 or NTLM

d8e8fca2dc0f896fd7cb4cb0031ba249   ← MD5
b4b9b02e6f09a9bd760f388b67351e2b   ← NTLM (same length as MD5)

MD5 and NTLM are indistinguishable by length alone. Context matters: password hashes in Windows NTLM authentication have a specific format in dumps (often stored alongside the username). Standalone 32-char hex hashes are usually MD5.

40 hex characters (160 bits)

Almost certainly: SHA-1

aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d

SHA-1 is the only common algorithm producing a 40-character hex output.

56 hex characters (224 bits)

Likely: SHA-224 or SHA3-224

Rare in practice — SHA-224 is used in some certificate chains but not commonly encountered outside cryptography tooling.

64 hex characters (256 bits)

Could be: SHA-256 or SHA3-256

a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3

SHA-256 is by far the most common — used in TLS certificates, Bitcoin, code signing, file integrity, and practically everywhere modern security requires a hash.

96 hex characters (384 bits)

Likely: SHA-384

Used in some TLS configurations (ECDHE-ECDSA-AES256-GCM-SHA384) but rare to encounter as a standalone hash.

128 hex characters (512 bits)

Likely: SHA-512 or SHA3-512 or Whirlpool

cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

SHA-512 is common in Linux password hashing ( $6$ prefix in /etc/shadow), cryptocurrency applications, and high-security systems.

Identifying by Format and Prefix

Some modern password hashing algorithms include algorithm parameters in the hash string itself, making them easy to identify:

bcrypt

$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/lewFpFVBkzZCwnNIS

Always starts with $2b$ , $2a$ , or $2y$ . The number after (12 in this case) is the cost factor (work factor). bcrypt hashes are always 60 characters including the prefix.

Argon2

$argon2id$v=19$m=65536,t=2,p=1$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObG

Argon2 hashes include the variant (argon2i, argon2d, argon2id), version, memory cost (m), time cost (t), and parallelism (p), followed by the salt and digest in Base64. These are impossible to mistake for anything else.

PBKDF2 (in Linux shadow format)

$5$rounds=5000$salt$hash   ← SHA-256 based
$6$rounds=5000$salt$hash   ← SHA-512 based

Linux /etc/shadow uses $5$ for SHA-256 and $6$ for SHA-512 PBKDF2. Windows Active Directory stores PBKDF2 hashes differently.

MySQL / MariaDB password hashes

Old MySQL: 16 hex characters (a custom non-standard hash — avoid) MySQL 4.1+: * followed by 40 hex characters (SHA-1 based, still not recommended)

Non-Hex Hash Formats

Not all hashes are purely hexadecimal. Some use Base64:

PBKDF2 in application frameworks — often stored as Base64 with a colon separator: PBKDF2:sha256:260000:salt:digest
JWT signatures — the third part of a JWT is a Base64url-encoded HMAC-SHA256 (or RS256, ES256) signature
Argon2 — uses standard Base64 for salt and digest portions

Base64 uses characters A-Z, a-z, 0-9, +, / (or -, _ for URL-safe Base64), with = padding. If a hash contains uppercase letters and slashes, it's likely Base64-encoded.

The Same Input, Different Algorithms

Here's "password" hashed with several algorithms — note the length difference:

MD5:     5f4dcc3b5aa765d61d8327deb882cf99   (32 chars)
SHA-1:   5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8  (40 chars)
SHA-256: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8  (64 chars)
SHA-512: b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86  (128 chars)
bcrypt:  $2b$12$TbNr/EeSO2bFBPx/...   (60 chars, different every time due to random salt)

Automated Hash Identification

Manual identification works well for common algorithms. For more obscure hashes (Whirlpool, RIPEMD, Tiger, etc.), dedicated tools can help:

hashid (Python) — identifies hash type from pattern matching: hashid 5f4dcc3b5aa765d61d8327deb882cf99
hash-identifier (Python) — similar pattern matching approach
Online tools — paste the hash and get a list of possible matches

The Hash Identifier on DevGizmo analyses a hash string and returns the most likely algorithm based on length and format patterns.

Common Mistakes

Confusing MD5 with NTLM — both are 32 hex characters. Context is everything.
Assuming a 64-char hex string is always SHA-256 — SHA3-256 and some custom algorithms also produce 64 hex chars.
Treating a bcrypt hash as crackable by lookup — unlike MD5 and SHA-1, bcrypt is intentionally slow and salted. Rainbow tables don't work against bcrypt.
Forgetting about encoding — the same SHA-256 digest can appear as 64 hex chars, 44 Base64 chars, or 43 Base64url chars depending on encoding.

Try It Online