Cipher Decipher
← Back to categories

Security & Hashing

Hashes, fingerprints, and quick security-related utilities.

17 tools available
JWT Decoder
Decode and view JSON Web Tokens to inspect headers, payload, and signature.
MD5 Hash Generator
Generate MD5 cryptographic hashes for data integrity verification.
SHA-256 Hash Generator
Generate SHA-256 cryptographic hashes for secure data verification.
Password Strength Checker
Evaluate password strength and get security recommendations.
UUID Generator
Generate unique UUIDs for identifiers and database keys.
Random String Generator
Generate secure random strings for passwords and tokens.
SHA-1 Hash Generator
Generate SHA-1 hashes for data integrity verification and legacy compatibility.
SHA-512 Hash Generator
Generate SHA-512 hashes for maximum security and data integrity verification.
HMAC Generator
Generate hash-based message authentication codes for secure message verification.
bcrypt Hash Checker
Verify and analyze bcrypt password hashes for security validation and format checking.
Salt Generator
Generate cryptographic salts for secure password hashing and random number generation.
Entropy Calculator
Measure password/string randomness and strength using Shannon entropy analysis.
Checksum Calculator
Calculate Luhn, CRC32, MD5, and SHA1 checksums for data validation and integrity checking.
SHA-3 / SHAKE Hash Generator
Generate SHA-3 and SHAKE hashes using the latest Keccak sponge construction algorithms.
PBKDF2 / Argon2 Hash Tool
Modern password hashing with PBKDF2 and Argon2 algorithms for secure key derivation.
OTP / TOTP Generator
Generate time-based and counter-based one-time passwords for two-factor authentication.
RSA Key Inspector
Inspect RSA public and private keys to view parameters, format, and security properties.

Introduction

Generating secure passwords, verifying file integrity, or implementing authentication? Security and hashing tools provide cryptographic primitives for data integrity, password storage, and digital signatures. These include hash functions (SHA-256, MD5), password generators, HMAC calculators, and key derivation tools. Unlike encodings, these are one-way functions—you cannot reverse a hash to recover the original data. All processing happens in your browser—no data leaves your device.

What this category includes

  • SHA-256 and SHA-512 hash generators following NIST FIPS 180-4 standards
  • MD5 hash calculator for legacy compatibility and file verification
  • HMAC (Hash-based Message Authentication Code) for message authentication
  • PBKDF2 key derivation for secure password hashing with salt and iterations
  • Secure random password generators with customizable entropy

How these tools work

Cryptographic hash functions take arbitrary-length input and produce fixed-length output. SHA-256, defined in NIST FIPS 180-4, outputs 256 bits (64 hex characters). The function processes input in 512-bit blocks, applies compression functions, and produces a deterministic output. The same input always produces the same hash, but even a single bit change in input produces a completely different output (avalanche effect).

HMAC adds a secret key to hashing for authentication. HMAC(K, m) = H((K ⊕ opad) || H((K ⊕ ipad) || m)), where H is the hash function, opad is outer padding, and ipad is inner padding. This prevents length extension attacks and ensures only someone with the key can generate valid HMACs.

PBKDF2 (Password-Based Key Derivation Function 2) derives cryptographic keys from passwords using a salt and iteration count. The salt prevents rainbow table attacks, and iterations increase computational cost to slow down brute-force attacks. NIST SP 800-132 recommends at least 10,000 iterations for PBKDF2.

How the underlying systems work

Modern cryptography is built on mathematical foundations that make certain problems computationally infeasible. Hash functions rely on collision resistance—finding two different inputs with the same hash should be practically impossible. SHA-256 has a 256-bit output, meaning there are 2^256 possible hash values. A birthday attack would require approximately 2^128 hash operations to find a collision, which is beyond current computing capabilities.

Password hashing differs from general-purpose hashing. Passwords have low entropy (human-chosen), so attackers can guess billions of passwords per second using GPUs. PBKDF2, bcrypt, and Argon2 add computational work (iterations, memory hardness) to slow down attacks. NIST SP 800-63B recommends using specialized password hashing functions, not general-purpose hashes like SHA-256, for password storage.

MD5, published in 1992 as RFC 1321, produces 128-bit hashes. It is cryptographically broken—collisions can be found in seconds. However, it remains useful for file integrity checks where malicious actors aren't expected to craft collisions. Never use MD5 for security-critical applications like digital signatures or password storage.

How to use these tools

  1. Select the cryptographic function based on your use case (SHA-256 for integrity, PBKDF2 for passwords)
  2. Enter your input data—text, file content, or password
  3. For HMAC, enter the secret key used for authentication
  4. For PBKDF2, configure salt and iteration count (higher iterations = more security but slower)
  5. Copy the hash output for use in your application or verification

Real-world examples

File Integrity Verification

A software distributor provides SHA-256 hashes for downloads. Users download a file, run it through the SHA-256 tool, and compare the output to the published hash. If they match, the file is intact. If not, the file was corrupted or tampered with. This is standard practice for Linux distributions and security software.

API Authentication

A web API uses HMAC for request authentication. The client has a secret key. For each request, they compute HMAC(key, request_body) and send it in the Authorization header. The server recomputes the HMAC with the stored key. If they match, the request is authentic and unmodified. This prevents replay attacks and tampering.

Secure Password Storage

A web application stores user passwords. Instead of storing plaintext, they use PBKDF2 with a random salt and 100,000 iterations. When a user registers, the tool generates: hash = PBKDF2(password, salt, 100000). The database stores (salt, hash). On login, the tool recomputes with the stored salt and compares hashes. Even if the database leaks, attackers must brute-force each password individually.

Comparison of methods

MethodComplexityTypical use
SHA-256O(n)Integrity, digital signatures
SHA-512O(n)High-security applications
MD5O(n)Legacy file verification
HMACO(n)API authentication
PBKDF2O(n·k)Password hashing

Limitations

Hash functions are one-way—you cannot recover the original data from a hash. If you need reversible encryption, use AES. Hash collisions are theoretically possible (pigeonhole principle), though computationally infeasible for SHA-256. MD5 is broken—do not use it for security. Password hashing requires proper salt and iteration configuration; misconfigured PBKDF2 (low iterations, no salt) is as weak as plaintext. For production systems, use established libraries (libsodium, bcrypt) rather than implementing these algorithms yourself.

Frequently asked questions

Related categories

Conclusion

Security and hashing tools provide the cryptographic primitives needed for modern applications. Use SHA-256 for integrity verification, HMAC for authentication, and PBKDF2 for password storage. Remember that these are building blocks—production systems require proper key management, secure random number generation, and defense-in-depth. For reversible encryption, explore the Classical Ciphers category to understand why modern encryption is necessary.