Five hash utilities in one tab. Detect what algorithm a hash came from, generate MD5/SHA-1/SHA-256/SHA-512 from text, verify a password against a hash, score a hash for security, and estimate password crack time — all locally in your browser.
Paste a hash. We detect the algorithm by structural pattern matching — length, charset and prefix.
A hash function takes any input — a password, a file, an entire database — and produces a fixed-size fingerprint. Same input always produces the same fingerprint; even a single-byte change produces a completely different one. Crucially, a good hash is one-way: you cannot reverse the fingerprint back into the original.
This is why every modern login system stores hashes of passwords instead of the passwords themselves. If a database leaks, attackers see the fingerprints, not your users' actual credentials.
Status: broken. Collision attacks since 2004.
Use for: non-security checksums only — ETags, cache keys.
Never use for: passwords, signatures, integrity in adversarial settings.
Status: deprecated. Practical collision in 2017 (SHAttered).
Use for: legacy interop (Git uses it for historical reasons).
Status: cryptographically secure for digests.
Use for: file integrity, content addressing (Git plans to migrate to SHA-256), HMAC, blockchain.
⚠️ Don't use for password storage — they're too fast. A modern GPU runs billions of SHA-256 per second.
Status: industry standard for password storage for 25 years.
Built-in salt and tunable cost factor that you raise as hardware gets faster.
Limitation: 72-byte input cap; not memory-hard.
Status: winner of the Password Hashing Competition.
Memory-hard — designed to resist GPU and ASIC attackers. OWASP's #1 recommendation for new applications.
Configure with at least 19 MiB memory, 2 iterations, 1 thread (OWASP 2023).
Hash functions throw away information by design. A hash function maps an infinite input space (any text of any length) to a finite output (e.g. 256 bits = 2²⁵⁶ possible values). By the pigeonhole principle, infinite inputs collapse into finite outputs, so an attacker with just the hash cannot tell which input produced it — there are theoretically infinite candidates.
"Cracking" a hash never means reversing it. It means guessing inputs, hashing each one, and comparing. That's why slow, salted, memory-hard algorithms like Argon2 are mandatory for passwords — they cap how many guesses an attacker can make per second.
Looking for a quick hash checker online, a hash identifier tool, or just an MD5 generator online? You'll find all of it here in one tab. Need an even more focused tool? See our Hash Generator for batch generation or our Password Generator to create strong inputs first.
No. By construction, hash functions destroy information. "Reversing" a hash means guessing inputs and hashing each one — which is why slow, salted algorithms (bcrypt, Argon2) are mandatory for password storage.
For passwords: Argon2id is OWASP's top recommendation, with bcrypt (cost ≥ 12) as a strong fallback. For general digests (file integrity, signatures): SHA-256 or SHA-3.
SHA hashes are designed to be fast — billions of operations per second on GPUs. That's wonderful for verifying a download, terrible for protecting passwords (it lets attackers brute-force them quickly). bcrypt was deliberately designed to be slow and includes a built-in salt and tunable work factor that you raise as hardware speeds up.
No. All five tools run entirely in your browser. There is no server endpoint to send anything to. You can verify by opening DevTools → Network and watching it stay empty while you type.
It tries — by matching length, charset and prefix patterns. But hashes of the same digest size (SHA-256 vs SHA3-256 vs Keccak-256) are indistinguishable from the hash alone. The identifier flags those cases with "medium" or "low" confidence and lists plausible alternates.
It uses standard entropy math: combinations = charset^length, divided by attacker guesses-per-second. Numbers come from public benchmarks (~50 GH/s for MD5 on a consumer GPU, ~10 kH/s for bcrypt cost 12). The categories (instant / minutes / years / impractical) are conservative — a determined nation-state attacker with rented cloud GPUs may be several orders of magnitude faster.
Other browser-based crypto and security utilities that pair well with hash analysis.