All Tools

Hash Verifier

Identify hash types and verify whether candidate text matches a digest. Runs entirely in your browser.

Read remediation guide

Privacy and how this works

  • Runs entirely in your browser. Digests are computed locally with JavaScript and the Web Crypto API. Your input is never sent to, logged by, or stored on Vulnify servers.
  • UTF-8 text matters. Spaces, newlines, and capitalization all change the result. For example, "test" and "Test" produce different digests.
  • Verification only, not cracking. This tool identifies likely hash types and checks whether candidate text reproduces a digest. It cannot reverse or decrypt a hash.
  • Not for password storage. These are plain one-way hashes. Production systems should use salted, slow key-derivation functions such as bcrypt, scrypt, or Argon2.
Hash input format
Compare computed hash as

Paste a hex or Base64 digest, or use Auto-detect. Choose how computed values are shown when verifying.

Leave blank to identify the hash type only. Add text to check for a match.

What This Tool Checks

  • Likely digest algorithms from byte length
  • Hex and Base64 digest input
  • Plaintext match verification against candidate text
  • MD5, SHA-1, SHA-256, SHA-384, and SHA-512 compatibility

Best For

Best for developers checking download checksums, validating test vectors, or confirming whether a candidate string produces a known digest during investigations.

What To Do Next

Compare full digests over a trusted channel, use SHA-256 or stronger for new work, and remember that password hashes from bcrypt or Argon2 will not match plain SHA output.

Related Resources

Read The GuideRun Hash GeneratorSee Plans

Can this tool reverse a hash back to the original text?

No. Hashes are one-way. This tool identifies the likely algorithm from the digest format and checks whether a candidate plaintext produces the same hash. It does not crack or decrypt hashes.

Is my hash or plaintext sent to a server?

No. Identification and verification run entirely in your browser. Nothing is transmitted, logged, or stored.

Why does verification fail when I know the password is correct?

The hash may use a different algorithm, encoding, salt, or key stretching than you expect. Plain SHA-256 of a password is not the same as bcrypt or Argon2 output, even for the same password.