Back

Decodificador de hashes de contraseña

Los hashes de contraseña almacenan credenciales de forma segura usando funciones unidireccionales con sales y factores de trabajo configurables. Esta herramienta detecta automáticamente y analiza hashes en Formato de Cripta Modular (MCF), Formato de Cadena PHC y esquemas LDAP, mostrando el algoritmo, parámetros, sal, salida del hash y una evaluación de seguridad.

Especificaciones

Casos de uso comunes

  • Identificar qué algoritmo de hash usa una base de datos para contraseñas
  • Auditar la seguridad de hashes de contraseña durante pruebas de penetración o revisiones de seguridad
  • Verificar que los factores de costo de bcrypt y los parámetros de Argon2 cumplan las recomendaciones de OWASP
  • Comprender los esquemas de almacenamiento de contraseñas de directorios LDAP
  • Depurar problemas de autenticación inspeccionando el formato y parámetros del hash

Funcionalidades

  • Detección automática de formatos MCF ($1$, $2b$, $5$, $6$, $sha1$, $apr1$), PHC ($argon2id$, $scrypt$, $pbkdf2$) y LDAP ({SSHA}, {SHA}, {MD5})
  • Mostrar algoritmo, variante, parámetros (costo, rondas, memoria, paralelismo), sal y salida del hash
  • Evaluación de seguridad: crítica (MD5/sin sal), débil (SHA-1/costo bajo), moderada (SHA-crypt), fuerte (bcrypt 12+/argon2/scrypt)
  • Recomendaciones de evaluación de seguridad codificadas por color
  • Visualización del formato de codificación del hash (base64, hex, etc.)
  • Analizar múltiples hashes desde entrada multilínea
  • Mostrar longitud en bits y formato de codificación del hash
  • Enlace a especificaciones relevantes para cada algoritmo

Ejemplos

Hash de contraseña bcrypt

Pruébalo →

Un hash bcrypt con factor de costo 12 — el mínimo recomendado para nuevas aplicaciones.

$2b$12$LJ3m4ys3Lg2VBe5E5Ij25eNsaDl3JK8i3pg7jBepGQhWcqMpqXA4q

Hash de contraseña Argon2id

Pruébalo →

Argon2id con 64 MB de memoria, 3 iteraciones y 4 hilos — la mejor práctica actual.

$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RdescudvJCsgt3ub+b+daw

Consejos

  • Se recomienda un factor de costo de bcrypt de 12+ según OWASP. Cada incremento duplica el tiempo de cálculo.
  • Argon2id es la mejor práctica actual — combina resistencia a canales laterales (argon2i) y resistencia a GPU (argon2d).
  • LDAP {SSHA} es SHA-1 con sal — mejor que {SHA} pero sigue siendo un hash rápido. Migre a bcrypt o Argon2.
  • Pegue la salida del hash de contraseña del panel Codificar Como para decodificarlo y verificarlo aquí.

Comprender Decodificador de hashes de contraseña

Password hashing is the practice of storing passwords as one-way cryptographic hashes rather than plaintext. When a user sets a password, the system hashes it and stores the hash. During login, the system hashes the submitted password and compares the result to the stored hash. Because the hash function is one-way, an attacker who obtains the hash database cannot directly recover the passwords.

Modern password hashing algorithms are intentionally slow and memory-intensive to resist brute-force attacks. bcrypt uses a configurable cost factor where each increment doubles the computation time. Argon2 (the winner of the 2015 Password Hashing Competition) adds configurable memory usage to resist GPU-based attacks. scrypt similarly requires significant memory. These "slow hashes" are fundamentally different from fast hashes (MD5, SHA-256) which are designed for speed and are unsuitable for password storage.

Password hashes use standardized string formats for portability. The Modular Crypt Format (MCF) uses $ delimiters: $2b$12$... for bcrypt, $5$ for SHA-256-crypt, $6$ for SHA-512-crypt. The PHC String Format (used by Argon2) adds named parameters: $argon2id$v=19$m=65536,t=3,p=4$salt$hash. LDAP systems use scheme prefixes: {SSHA}, {PBKDF2}.

Each hash includes a salt — random data combined with the password before hashing to ensure that identical passwords produce different hashes. Without salting, attackers can use precomputed rainbow tables to look up common password hashes instantly. The salt is stored alongside the hash (it is not secret) and is generated randomly for each password.

For new applications, Argon2id is the current best practice as recommended by OWASP. If Argon2 is not available in your framework, bcrypt with cost factor 12+ is the next best choice, and scrypt is also acceptable. MD5, SHA-1, and plain SHA-256 should never be used for passwords — they are too fast and can be brute-forced at billions of attempts per second on modern GPUs. MD5 in particular was designed as a fast checksum algorithm, not for password storage, and it has known collision vulnerabilities. Unsalted MD5 hashes are also vulnerable to rainbow table attacks.

The bcrypt cost factor (the number after $2b$) is an exponent that controls computation time. Cost 10 means 2^10 = 1,024 iterations, while cost 12 means 2^12 = 4,096 iterations — four times slower than cost 10. OWASP recommends cost 12 as the minimum. Each increment doubles the time, so increasing from 10 to 12 makes hashing 4x slower for both the server and any attacker.

A salt and a pepper serve different roles in password security. A salt is random data stored alongside the hash, unique per password, ensuring identical passwords produce different hashes — salts are not secret. A pepper is a secret key applied to all passwords (typically via HMAC), stored separately from the database in application configuration or a hardware security module. If the database is compromised but the pepper is not, the attacker cannot crack the hashes even with the salts. Using both provides defense in depth.

← Volver a todas las herramientas