What is a timing attack and why does it matter for hash comparison?

A timing attack exploits the fact that a naive string comparison (==) returns early when it finds the first non-matching character, leaking information about how many bytes matched. Constant-time comparison always examines every byte regardless of where a mismatch occurs, preventing an attacker from inferring hash content through response-time differences.

Does this tool send my hashes to a server?

No. All comparison logic runs entirely in your browser using JavaScript. Nothing is transmitted over the network.

Why does a bcrypt hash never match even when the password is correct?

Bcrypt produces a hash that embeds a random salt, so the same password hashed twice produces different digests. You cannot compare two bcrypt hashes directly — you must use a bcrypt verify function that re-derives the hash using the embedded salt.

Is case sensitivity important?

Hex digests are case-insensitive (a2f and A2F represent the same bytes), so this tool normalizes both inputs to lowercase before comparing. Base64 and bcrypt are case-sensitive; the tool detects the encoding and applies the appropriate normalization.

What hash algorithms does this support?

Any hash that can be represented as a hex or Base64 string — MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, RIPEMD-160, bcrypt, Argon2 output, HMAC variants, and more. The tool compares the string representation, not the algorithm.

Hash Comparison Tool

Name: Hash Comparison Tool
Availability: InStock
Author: Nham Vu

Paste two hash digests and instantly see whether they match, with length and encoding details.

Hash A (expected)

Hash B (actual)

Case-sensitive comparison Strip whitespace before comparing

Why constant-time comparison matters

A naive === comparison short-circuits as soon as it finds the first mismatched character. An attacker who can measure server response time precisely can submit many candidate hashes and observe which ones take slightly longer — learning how many leading characters matched. This is a timing attack. Constant-time comparison always inspects every character regardless of where the mismatch is, leaking no positional information. In PHP use hash_equals(); in Python use hmac.compare_digest(); in Node.js use crypto.timingSafeEqual().

Summary

Paste two hash digests and instantly see whether they match, with length and encoding details.

How it works

Paste the first hash (expected) into the left input field.
Paste the second hash (actual) into the right input field.
Click "Compare Hashes" or press Enter to run the comparison.
The tool normalizes case, strips whitespace, and checks byte-by-byte equality.
A clear match or mismatch result is displayed along with encoding details and a diff highlight.

Use cases

Verify a downloaded file checksum matches the publisher's posted hash.
Debug why a password hash stored in a database does not match the computed value.
Confirm two API responses produce identical HMAC signatures.
Teach developers why constant-time string comparison matters against timing attacks.
Spot encoding mismatches (uppercase hex vs. lowercase, hex vs. Base64) causing false negatives.
Cross-check SHA-256 digests from two different tools to confirm consistency.

Frequently Asked Questions

Last updated: 2026-06-09 · Reviewed by Nham Vu