12 utilities for passwords, hashes, signatures, tokens, encryption and 2FA.
No sign-up. No tracking. No ads.
Generate strong, random passwords. Configurable length, symbols, look-alike exclusion. Cryptographically secure.
Entropy in bits, estimated online + offline crack time, common-pattern detection. Password never leaves the browser.
Memorable + cryptographically strong passphrases from the EFF wordlist. Entropy bits shown — runs in your browser.
MD5, SHA-1, SHA-256, SHA-512. Works on text or any file. Computed locally in your browser.
HMAC-SHA1/SHA-256/SHA-384/SHA-512 for API signing, JWT, webhook verification. Hex or Base64 output.
Decode JSON Web Tokens. See header, payload, and signature. Human-readable exp/iat timestamps.
Build and sign JSON Web Tokens with HS256/HS384/HS512 in your browser. Pairs with the existing JWT decoder.
Hash passwords with bcrypt at adjustable cost, or verify a password against an existing hash. Runs locally.
Create Apache and Nginx .htpasswd entries. Choose bcrypt or APR1 MD5. Copy the full one-line entry.
Classic letter-shift cipher with live preview. Any shift from 1 to 25, plus the ROT13 default. Both directions.
AES-GCM-256 with PBKDF2 key derivation. Browser-native via SubtleCrypto — password + plaintext stay local.
Generate Google-Authenticator-compatible 2FA codes from a base32 secret. RFC 6238. Live countdown.
Encode/decode text with the Vigenere keyword cipher. Two-way, live, browser-only.
Secure random API keys and tokens: hex, Base64, Base64URL or alphanumeric, bulk.
Encrypt/decrypt by shifting letters any amount (0–25). ROT13 included, live output.
Mirror the alphabet (A↔Z, B↔Y…). Self-inverse, keeps case & punctuation.
XOR text with a repeating key → hex, and back. UTF-8 aware, fully client-side.
SHA-256 / SHA-1 / SHA-512 checksum of a file, with optional compare. No upload.
Encode/decode the rail fence (zigzag) transposition cipher with any number of rails.
Convert letters to alphabet numbers (A=1 … Z=26) and back. Common puzzle cipher.
Encode/decode the Baconian cipher (each letter as five A's and B's).
Encode/decode the affine cipher (a·x + b mod 26) with a coprime multiplier.
Encode/decode the Polybius square (letters to row-column digit pairs, I/J shared).
Encode/decode the keyword columnar transposition cipher.
A browser-based security & cryptography toolkit — password generator + strength meter, Diceware passphrases, MD5 / SHA hashing, HMAC, bcrypt, JWT decode + sign, .htpasswd generator, AES-GCM-256 symmetric encrypt / decrypt, TOTP 2FA generator, ROT13. All cryptographic operations use the browser's Web Crypto API or vendored bcrypt — nothing is uploaded.
Yes — they use the browser's Web Crypto API (industry-standard, audited) for AES, SHA and HMAC. The bcrypt implementation is the maintained vendored bcryptjs library. JWT signing uses HMAC variants.
No — everything runs locally in your browser. No password, hash input or JWT secret is ever sent to a server. Even the TOTP secrets you test stay local.
MD5 and SHA-1 are insecure for cryptographic signatures but still widely used for non-security purposes (checksums, deduplication, legacy integration). The tool warns when you use them for security purposes.
Yes — it uses `crypto.getRandomValues()` (cryptographically secure pseudo-random) for every character, not `Math.random()`.