Cryptography & Security · 8 Tools

Free Online Cryptography & Security Tools

Security is not optional — it is the foundation of every reliable application. This collection of free, browser-based cryptography tools gives developers, security engineers, and system architects instant access to the most common security primitives: unique ID generation, cryptographic hashing, message authentication, key-pair creation, and credential formatting. Every tool on this page runs entirely within your browser using the Web Cryptography API (window.crypto). Your secrets, tokens, and passwords are never transmitted to any server. There are no logs, no analytics on inputs, and no storage — what happens in your browser stays in your browser.

Common Use Cases

API AuthenticationGenerate cryptographically secure API keys and tokens using our Token Generator. Use HMAC to sign webhook payloads and verify message authenticity.

Database Primary KeysGenerate UUID v4 or ULID identifiers for database records in PostgreSQL, MongoDB, or DynamoDB without requiring a central ID authority.

Password & Credential AuditsUse the Password Strength Analyser to evaluate credentials against entropy and pattern detection. Generate Basic Auth headers from username/password pairs.

Data Integrity VerificationCompute SHA-256 or SHA-512 hashes to verify file integrity during CI/CD pipelines, compare build artifacts, or validate downloaded binaries.

TLS & PKI DevelopmentGenerate RSA key pairs (1024/2048/4096 bit) for testing TLS configurations, JWT signing key pairs, or SSH public key authentication setups.

8 Tools in This Category

UUID v4 GeneratorPopular

RFC 4122 compliantOpen tool →

ULID Generator

Sortable unique IDOpen tool →

Token GeneratorPopular

API keys & random tokensOpen tool →

Hash GeneratorPopular

SHA-256, SHA-512 & moreOpen tool →

HMAC GeneratorPopular

Sign messages securelyOpen tool →

RSA Key Generator

1024/2048/4096 bit pairsOpen tool →

Password Strength

Security score & breakdownOpen tool →

Basic Auth

HTTP Authorization headersOpen tool →

In-Depth Guide: Free Online Cryptography & Security Tools

Why Client-Side Cryptography Matters

When you use an online tool that sends your data to a server to compute a hash or generate a token, you are trusting that server's security, logging practices, and access controls. For sensitive operations like password hashing or secret key generation, that trust is unacceptable. All tools in this security category use the native Web Cryptography API — specifically window.crypto.subtle for hash computations and window.crypto.getRandomValues() for randomness. These APIs are standardised by the W3C and implemented in every modern browser. The operations happen in your JavaScript engine, on your device, using your CPU. Nothing leaves. This matters most when working with secrets you cannot afford to expose: HMAC signing keys, API tokens, RSA private keys, or production passwords. By running everything client-side, we eliminate the risk of server-side interception, log exposure, or data breaches.

Understanding Cryptographic Primitives

Modern application security is built from a small set of well-understood primitives, each serving a distinct role: **Hashing (SHA-256, SHA-512)** — A one-way transformation that converts input of any size into a fixed-length digest. Identical input always produces identical output, but you cannot reverse the digest to recover the original. Used for: password storage (with a salt), data integrity checks, file fingerprinting, and the foundation of Git commit IDs and Bitcoin's proof-of-work. **Message Authentication (HMAC)** — Hashing combined with a secret key. Only parties who possess the key can compute or verify the signature. This proves both integrity (data was not tampered) and authenticity (it came from someone with the key). Used by: AWS Signature V4, Stripe webhooks, GitHub webhooks, and most modern REST APIs. **Symmetric Key Generation (Random Tokens)** — Cryptographically random byte sequences used as shared secrets. The security of symmetric encryption depends entirely on the randomness and secrecy of the key. Always use a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) — our Token Generator uses window.crypto.getRandomValues() exclusively. **Asymmetric Key Pairs (RSA)** — Two mathematically linked keys: a public key (which can be shared freely) and a private key (which must never leave your system). Anything encrypted with the public key can only be decrypted with the private key. Used for: TLS certificates (HTTPS), SSH authentication, JWT signing with RS256, and PGP email encryption. **Unique Identifiers (UUID/ULID)** — While not encryption, UUID v4 and ULID are essential security tools because non-guessable identifiers prevent Insecure Direct Object Reference (IDOR) attacks. If object IDs are sequential integers (1, 2, 3...), an attacker can simply increment the ID to access other users' records.

Choosing the Right Identifier: UUID, ULID, or Random Token

Three tools in this category generate identifiers, each optimised for different use cases: **UUID v4** is the safest choice for public-facing identifiers (user IDs, order numbers, resource slugs). It encodes zero metadata about creation time or machine, making it impossible for an external observer to infer anything from the ID itself. The 36-character format (including hyphens) is universally supported by databases, ORMs, and APIs. **ULID** is the better choice when you need IDs to sort chronologically. The first 10 characters encode a millisecond-precision timestamp, meaning records with ULIDs sort in creation order without a separate created_at index. This improves B-tree index performance in high-write-throughput systems like event logs, audit trails, or message queues. **Random Tokens** (hex or Base64) are ideal for bearer credentials that don't need a standardised format: API keys, OAuth client secrets, password reset links, CSRF tokens, and email verification codes. Choose 32 bytes (256 bits) minimum for tokens used in security-critical flows.

Frequently Asked Questions

Are these cryptography tools safe to use with real secrets?

Yes. All operations run client-side using window.crypto — the browser's native cryptography API. No input data is ever transmitted to a server, logged, or stored. You can safely use these tools with production passwords, API keys, and cryptographic secrets.

What is the difference between hashing and encryption?

Hashing is one-way — you cannot reverse a hash to recover the original input. Encryption is two-way — data encrypted with a key can be decrypted with the same (symmetric) or corresponding (asymmetric) key. Use hashing for passwords and integrity checks; use encryption when you need to recover the original data.

How secure is UUID v4 as a primary key?

UUID v4 generates 122 random bits per ID. The probability of a collision (generating the same UUID twice) is approximately 1 in 5.3×10³⁶ — effectively zero even at Google scale. UUID v4 IDs are also non-guessable, protecting against IDOR attacks that affect sequential integer IDs.

What is the minimum token length for a secure API key?

Security experts recommend at least 128 bits (16 bytes) for API keys, and 256 bits (32 bytes) for high-security secrets like JWT signing keys or OAuth client secrets. Our Token Generator lets you specify exact byte length and outputs in hex or Base64.

Is Basic Auth secure?

Only when used over HTTPS. Basic Auth encodes credentials in Base64 — which is trivially reversible — so it provides zero protection over an unencrypted connection. Over TLS, it is acceptable for internal APIs and development tools, but OAuth 2.0 or API key authentication is preferred for production.

Browse Other Categories

✏️ String & Text16 tools 🔄 Converters16 tools 🌐 Web & Development22 tools 🔢 Network6 tools 🧮 Math & Measurement4 tools 🎨 Images & Design5 tools ⚡ Productivity5 tools