Dehash
Test whether an MD5, SHA-1, or SHA-256 hash can be matched to a common plaintext, and learn why hashes cannot be truly decrypted. Everything runs client-side; your hash never leaves your browser.
Warning: This hash was found in a common password database. If this is a password hash, the password is extremely weak and should be changed immediately.
This hash was not found in our database. The original value is likely a strong, unique string that cannot be dehashed via dictionary lookup.
Paste a hash below to dehash it
Dehash a Hash
Checks against ~10,000 common passwords & strings. All processing happens in your browser.
What is Dehashing?
Dehashing is a common name for lookup-based hash recovery. Cryptographic hash functions like MD5, SHA-1, and SHA-256 are one-way functions, so they cannot be mathematically decrypted. A dehash tool can only find a match when the original input is already present in a dictionary or lookup table.
This page focuses on what "dehashing" can and cannot recover. For a shorter auditing workflow, use the hash lookup tool. If a password hash can be matched using a common dictionary, that password should be changed.
How Dehashing Works
1. Paste Hash
Enter any MD5 (32 chars), SHA-1 (40 chars), or SHA-256 (64 chars) hash value.
2. Local Computation
Your browser computes hashes for all dictionary entries and compares them locally.
3. Instant Result
If a match is found, the original plaintext is revealed. No data leaves your device.
Dehashing vs Decryption
Many people confuse dehashing with decryption, but they are fundamentally different processes:
| Property | Dehashing | Decryption |
|---|---|---|
| Method | Dictionary/rainbow table lookup | Mathematical reversal with key |
| Requires key? | No | Yes |
| Guaranteed? | No — only works for known inputs | Yes — always recovers original data |
| Works on | MD5, SHA-1, SHA-256 (unsalted) | AES, RSA, ChaCha20 |
Which Hashes Can Be Dehashed?
| Algorithm | Length | Dehashable? | Why |
|---|---|---|---|
| MD5 | 32 hex chars | Yes (common inputs) | Fast to compute, massive rainbow tables exist |
| SHA-1 | 40 hex chars | Yes (common inputs) | Fast to compute, widely targeted |
| SHA-256 | 64 hex chars | Sometimes | Slower to compute but still vulnerable for weak inputs |
| bcrypt | 60 chars | No | Unique salt per hash, intentionally slow |
| Argon2 | Variable | No | Memory-hard, salted, designed to resist lookup attacks |
Frequently Asked Questions
What is dehashing?
Dehashing is the process of attempting to find the original plaintext input that produced a given hash value. Since hash functions are one-way, dehashing relies on comparing the hash against a database of known hash-plaintext pairs rather than reversing the algorithm.
Can you dehash MD5?
MD5 hashes of common strings can often be dehashed using rainbow tables or dictionary lookups. MD5 is fast to compute, making it vulnerable to brute-force attacks. However, unique or complex inputs cannot be dehashed regardless of the algorithm.
Is dehashing the same as decryption?
No. Decryption reverses encryption using a key to recover the original data. Dehashing is not true reversal — it is a lookup process that checks if a hash matches a known input. Hash functions are mathematically irreversible, unlike encryption.
Which hash algorithms can be dehashed?
This tool supports dehashing MD5 (32 hex chars), SHA-1 (40 hex chars), and SHA-256 (64 hex chars). Password hashes like bcrypt and Argon2 use unique salts, making them resistant to lookup-based dehashing.
Is my data safe when using this dehash tool?
Yes. All dehashing runs entirely in your browser. The hash you paste is never sent to any server. The common password database is loaded locally and all comparisons happen client-side using the Web Crypto API.
Why can't the tool dehash my hash?
The tool checks against a curated database of ~10,000 common passwords and strings. If the original input was unique, complex, or uncommon, it won't be in the database. Strong, unique passwords are designed to be resistant to dehashing.