Boneyard Tools

Hash Identifier

Paste a hash to guess its algorithm. We match prefixes like bcrypt and Unix crypt, then fall back to length and character set to rank candidates such as MD5, SHA-1 and SHA-256.

How to identify a hash

  1. Paste the hash string into the box (one hash at a time).
  2. Read the ranked candidates, ordered by confidence.
  3. Use the highest-confidence match, noting that equal-length hashes can overlap.

Examples

MD5 hash

5f4dcc3b5aa765d61d8327deb882cf99
MD5 (high), NTLM (medium), MD4 (low), MD2 (low)

bcrypt hash

$2y$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
bcrypt (high)

Frequently asked questions

Is my hash sent to a server?

No. Identification runs entirely in your browser using JavaScript, so the hash you paste never leaves your device.

How does the detection work?

We first check for known prefixes like $2y$ (bcrypt) or $6$ (SHA-512 crypt). If none match, we look at the character set and length to rank likely algorithms.

Can it tell MD5 from NTLM?

Not reliably. MD5 and NTLM are both 32 hex characters, so they are indistinguishable by format alone. We rank MD5 higher because it is far more common, and list NTLM as a likely alternative.

Why do I get several candidates?

Many algorithms share an output length. A 64-character hex string could be SHA-256, SHA3-256 or BLAKE2s-256, so we show every plausible match instead of guessing one.

Does identifying a hash let me reverse it?

No. Cryptographic hashes are one-way. Knowing the algorithm only tells you how a value was hashed, not the original input.

Related tools

Security Tools

Reverse Shell Generator

Generate reverse shell one-liners for Bash, Python, PHP, Perl, Ruby, PowerShell, Netcat and Socat from an IP and port, plus the listener command.

Developer Tools

Hash Generator

Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from any text. Live, lowercase hex output that runs entirely in your browser.

Security Tools

HMAC Generator

Generate an HMAC for a message and secret key with SHA-1, SHA-256, SHA-384 or SHA-512. Verify webhook and API signatures, with hex or base64 output.

Developer Tools

JWT Decoder

Decode a JSON Web Token to read its header and payload claims. Shows exp, iat and nbf as dates. Runs in your browser. No signature check.

Security Tools

AES Encryption

Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.

Security Tools

CSP Analyzer

Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.