Hash Preimage Finder

Watch a bounded, local brute-force search recover a weak hash input in seconds, or run out of keyspace on anything with real entropy. No wordlist, no table, just your browser. A demonstration of why fast, unsalted hashes fail.

Hashing & crypto
Paste a hex hash; the algorithm is detected from its length.
Candidate alphabet
up to 12
Keyspace: 1,111,110 candidates
This is why weak hashes fall, and how storage is actually protected

A fast hash of a low-entropy input is trivially reversible by enumeration, as you just saw. Real password storage defends against this in three layers.

Salting defeats precomputed tables

A unique random salt per password makes every stored hash different, even for identical passwords. That is what breaks lookup services like CrackStation: a precomputed table would need rebuilding for every salt, so it becomes useless.

Slow KDFs defeat brute force

bcrypt, scrypt, Argon2, and PBKDF2 are deliberately slow and tunable. Making each guess cost milliseconds instead of nanoseconds cuts an attacker's rate by six orders of magnitude or more, turning a seconds-long crack into millennia.

Algorithm and length matter

MD5 and SHA-1 are collision-broken and, like SHA-256, far too fast for storing secrets. Use a purpose-built password hash, and give secrets enough length and randomness that no keyspace search can reach them.

Everything runs locally in your browser. Nothing you paste is uploaded. This tool exists to demonstrate hash weakness and is bounded so it can only recover trivially weak inputs.