Security & Crypto

12 utilities for passwords, hashes, signatures, tokens, encryption and 2FA.

No sign-up. No tracking. No ads.

Password Generator

Generate strong, random passwords. Configurable length, symbols, look-alike exclusion. Cryptographically secure.

Password Strength Checker

Entropy in bits, estimated online + offline crack time, common-pattern detection. Password never leaves the browser.

Diceware Passphrase

Memorable + cryptographically strong passphrases from the EFF wordlist. Entropy bits shown — runs in your browser.

Hash Generator

MD5, SHA-1, SHA-256, SHA-512. Works on text or any file. Computed locally in your browser.

HMAC Generator

HMAC-SHA1/SHA-256/SHA-384/SHA-512 for API signing, JWT, webhook verification. Hex or Base64 output.

JWT Decoder

Decode JSON Web Tokens. See header, payload, and signature. Human-readable exp/iat timestamps.

JWT Signer

Build and sign JSON Web Tokens with HS256/HS384/HS512 in your browser. Pairs with the existing JWT decoder.

Bcrypt Generator & Verifier

Hash passwords with bcrypt at adjustable cost, or verify a password against an existing hash. Runs locally.

.htpasswd Generator

Create Apache and Nginx .htpasswd entries. Choose bcrypt or APR1 MD5. Copy the full one-line entry.

ROT13 / Caesar Cipher

Classic letter-shift cipher with live preview. Any shift from 1 to 25, plus the ROT13 default. Both directions.

AES Encrypt / Decrypt

AES-GCM-256 with PBKDF2 key derivation. Browser-native via SubtleCrypto — password + plaintext stay local.

TOTP / 2FA Code Generator

Generate Google-Authenticator-compatible 2FA codes from a base32 secret. RFC 6238. Live countdown.

Vigenere Cipher

Encode/decode text with the Vigenere keyword cipher. Two-way, live, browser-only.

Random Key Generator

Secure random API keys and tokens: hex, Base64, Base64URL or alphanumeric, bulk.

About this toolkit

A browser-based security & cryptography toolkit — password generator + strength meter, Diceware passphrases, MD5 / SHA hashing, HMAC, bcrypt, JWT decode + sign, .htpasswd generator, AES-GCM-256 symmetric encrypt / decrypt, TOTP 2FA generator, ROT13. All cryptographic operations use the browser's Web Crypto API or vendored bcrypt — nothing is uploaded.

Who uses these tools

Frequently asked questions

Are the cryptographic operations secure?

Yes — they use the browser's Web Crypto API (industry-standard, audited) for AES, SHA and HMAC. The bcrypt implementation is the maintained vendored bcryptjs library. JWT signing uses HMAC variants.

Are my passwords / secrets uploaded?

No — everything runs locally in your browser. No password, hash input or JWT secret is ever sent to a server. Even the TOTP secrets you test stay local.

Why is MD5 included if it's insecure?

MD5 and SHA-1 are insecure for cryptographic signatures but still widely used for non-security purposes (checksums, deduplication, legacy integration). The tool warns when you use them for security purposes.

Does the password generator use a secure random source?

Yes — it uses `crypto.getRandomValues()` (cryptographically secure pseudo-random) for every character, not `Math.random()`.

← Browse all 254 tools