Smart Web Apps Guide
Security tools

Security tools guide

These tools help with common security tasks—generating passwords, checking strength, hashing inputs, creating HMACs, and decoding JWTs. All processing runs in your browser whenever possible.

Key concepts (plain English)
  • Hash: one-way fingerprint of data (not reversible).
  • HMAC: hash + secret key, used to prove authenticity.
  • Bcrypt: slow password hashing designed to resist brute force.
  • JWT: signed token; decoding shows claims but doesn’t verify trust by itself.

Tools to try

Password Generator Password Strength Checker Hash Generator HMAC Generator Bcrypt Generator JWT Decoder

Practical safety tips

  • Prefer password managers and long random passwords.
  • Never paste secrets into tools you don’t trust—use local tools like these.
  • JWT decoding is for inspection; verification requires checking the signature and issuer.

Passwords: length beats “clever” complexity

A long, randomly generated password is harder to crack than a short password with mixed symbols. If you can, use a password manager so every site has a unique password. For accounts that support it, enable multi-factor authentication as well.

Password Generator Password Strength Checker

Hashing vs encryption (common confusion)

Hashing is one-way: it produces a fingerprint that should not be reversible. Encryption is two-way: it’s designed to be decrypted with a key. If your goal is “store passwords safely”, use a password hashing function (bcrypt/scrypt/Argon2) rather than encrypting the password.

Hash algorithms: pick modern defaults

For general-purpose hashing, prefer SHA‑256 or SHA‑512. Older algorithms like MD5 and SHA‑1 are not recommended for security-sensitive uses because they have known weaknesses. For file integrity or non-security checks, those legacy algorithms may still appear, but understand their limits.

Hash Generator

HMAC: prove authenticity, not secrecy

An HMAC combines a message and a secret key to produce a signature. It helps detect tampering and proves the sender knew the secret. It does not encrypt the message—anyone can still read the contents unless you encrypt separately.

HMAC Generator

Bcrypt: designed for storing passwords

Bcrypt is intentionally slow and includes a salt and a cost factor. That makes brute-force guessing much more expensive for attackers. When storing a bcrypt hash, you store the full bcrypt output string (it includes parameters needed for verification).

Bcrypt Generator

JWT decoding: inspection only unless you verify

A JWT has a header, payload (claims), and signature. Decoding shows what’s inside, but it does not prove the token is trustworthy. Verification requires checking the signature against the correct key, validating the issuer/audience, and confirming the token is not expired.

JWT Decoder

Why “secure context” matters

Some security features (like Web Crypto and clipboard APIs) require HTTPS. If you test locally using http:// on a remote machine, your browser may disable these APIs. On Cloudflare Pages (HTTPS), they work normally.

For sourcing and corrections standards, see our Editorial & Accuracy Policy.
Related
Developer tools guide Network tools guide