Security Tools

Twelve browser-based utilities for password generation, cryptographic hashing, AES encryption, and JWT inspection, built for developers and sysadmins who need to ship a credential without piping it through a third-party server. A backend engineer rotating database passwords during a 2 a.m. incident can generate a 32-character random string, bcrypt-hash it, and paste a decoded JWT payload to verify the new token claims, all inside the same tab. Every tool runs client-side. No sign-up, no upload, no logged plaintext.
What you can do with security tools
Most visitors arrive on this page for one of three jobs:

Generate strong, random passwords up to 64 characters with Password Generator.
Hash a string with SHA-256, SHA-512, bcrypt, or PBKDF2 via SHA Hash Generator.
Decode and inspect a JSON Web Token from Auth0, Cognito, or Firebase using JWT Decoder.

Pick Security Tools when the input is sensitive, credentials, secrets, signed tokens, anything you would refuse to paste into a random web form. For Base64 or URL encoding without cryptographic guarantees, Encoding Tools are faster and lighter. For JSON inspection or bulk UUIDs as primary keys, Data Tools cover the broader use case. Security Tools earn their keep when the output needs cryptographic strength, not just format conversion.
The Security toolkit

Tool
What it does
When to use

Password Generator
Generates random passwords with configurable length, symbols, and digit rules.
Setting up a new database user that needs a 24-character mixed-case password.

Generate Random Password
Creates one or many random passwords from a chosen alphabet.
Bulk-provisioning 50 service accounts that each need a unique credential.

Password Strength Checker
Scores a password against entropy, dictionary, and pattern checks.
Verifying a teammate’s suggested passphrase isn’t a top-1000 weak choice.

Bcrypt Generator
Produces bcrypt hashes with adjustable cost factor between 4 and 14.
Storing the password for a new admin user when your app expects bcrypt.

SHA Hash Generator
Computes SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 digests.
Verifying a downloaded ISO matches the SHA-256 checksum from the vendor’s site.

PBKDF2 Hash Generator
Derives a key from a password using PBKDF2 with custom iterations and salt.
Producing a derived key for a CLI that expects PBKDF2-SHA-256 with 100k rounds.

Text Hash Generator
Hashes input with MD5, SHA-1, RIPEMD-160, and other legacy algorithms.
Comparing two strings against a legacy MD5 fingerprint stored in an old database.

String Hash Generator
Produces non-cryptographic hashes such as CRC32 and FNV for short strings.
Building a deterministic shard key from a tenant ID without a crypto dependency.

AES Text Encryptor
Encrypts and decrypts text with AES-128, AES-192, or AES-256 in CBC mode.
Wrapping a short config value before pasting it into a shared issue tracker.

Text Encryption Tool
Provides multiple symmetric ciphers including AES, TripleDES, and Rabbit.
Encrypting a snippet for a colleague stuck with a TripleDES-only library.

JWT Decoder
Decodes the header, payload, and signature segments of any JSON Web Token.
Debugging a 401 response by inspecting the exp and aud claims of the rejected token.

UUID Generator
Generates UUID v1, v4, v5, and Nil UUIDs in single or bulk mode.
Seeding 200 unique IDs for a database migration that needs deterministic rows.

Hash generators. SHA Hash Generator covers the SHA-2 family, Bcrypt Generator handles password storage with a tunable cost factor, and PBKDF2 Hash Generator derives keys from passphrases. For older MD5 or RIPEMD-160 fingerprints, reach for Text Hash Generator.
Password utilities. Password Generator controls length and character classes for one-off credentials; Generate Random Password is faster for bulk runs. Run any candidate through Password Strength Checker before storing it.
Encryption and tokens. AES Text Encryptor and Text Encryption Tool handle symmetric encryption with shared keys. JWT Decoder reads tokens from any RFC 7519 issuer, and UUID Generator produces v4 random or v5 namespaced IDs.
How to choose the right security tool

Storing a password in a database → use Bcrypt Generator, never MD5 or SHA-1.
Deriving a deterministic key from a passphrase → use PBKDF2 Hash Generator with at least 100,000 iterations.
Verifying a file checksum → use SHA Hash Generator and match the SHA-256 or SHA-512 digest.
Sharing a short encrypted string with a teammate → use AES Text Encryptor with a pre-shared key.
Debugging an authentication flow → use JWT Decoder to inspect claims and timestamps.

The trade-off that matters most is speed versus cost. A faster hash like MD5 or SHA-1 is unsuitable for password storage because it is also faster to brute-force on a GPU farm. Bcrypt and PBKDF2 are deliberately slow by design. For checksums, pick speed; for credentials, pick cost.
Frequently asked questions
Q: Are these security tools safe to use for real passwords?
All twelve tools run in your browser using JavaScript Web Crypto APIs, input never leaves the page, and nothing is logged. For one-off credentials and incident response, that’s the correct trust model. For long-term secrets, generate the password locally and write it directly into a manager like Vault or AWS Secrets Manager.
Q: What’s the difference between bcrypt and PBKDF2?
Both are deliberately slow key-derivation functions designed to resist brute-force attacks. Bcrypt Generator uses a Blowfish-derived schedule with a tunable cost factor and is the default in many web frameworks. PBKDF2 is older, FIPS-approved, and configurable by iteration count, pick it when NIST-compliant primitives are required. For new applications, bcrypt or Argon2 is the safer default.
Q: Can I decode a JWT signature without the secret key?
JWT Decoder reads and Base64-decodes the header and payload, both are public by design. The signature is shown as raw bytes. Verifying that the signature is valid requires the issuer’s HMAC secret or RSA/ECDSA public key, which the tool does not store. Decoding is safe; signature verification needs the key.
Q: Which UUID version should I generate?
Use UUID v4 for random unique IDs, the default for most database primary keys and API request IDs. Use UUID v5 when the same input string must produce the same UUID every time, useful for namespacing and idempotency. UUID v1 is timestamp-based and leaks the MAC address of the generator; avoid it unless you need time-ordering. UUID Generator supports all three.
Q: How long should a strong password be?
For human-typed passphrases, 16 characters with mixed case, digits, and symbols clears most modern entropy thresholds. For machine-only credentials like database passwords or API keys, use 32 or 64 characters from a full alphanumeric-plus-symbols pool. Anything scoring under 80 bits of entropy in Password Strength Checker is too short for production.
Q: Is AES-256 better than AES-128?
For practical purposes, both are unbreakable by brute force with current and projected computing power. AES-256 uses a longer key and 14 rounds versus AES-128’s 10 rounds, slightly slower, marginally more resistant to theoretical attacks. NIST recommends AES-256 for top-secret data, AES-128 for everything else. AES Text Encryptor supports both. The bigger risk than key length is a weak passphrase or a reused IV.
For Base64 or hex encodings used alongside crypto work, see Encoding Tools. For JSON payloads inside decoded JWTs or bulk UUID generation, Data Tools covers the broader data-shape work. For regex testing, cron syntax, and other backend utilities, Developer Tools sits next door.