Security Tools

Free Online Security Tools

Browser-based security utilities that run entirely on your device. Generate cryptographically strong passwords, compute SHA hashes, decode JWT tokens, and create QR codes — without sending any data to a server.

Password Generator

Strong random passwords with custom settings

Live

Hash Generator

SHA-1, SHA-256, SHA-384, SHA-512 hashes

Live

Bcrypt Generator

Hash and verify passwords with bcrypt

Live

JWT Decoder

Decode and inspect JWT tokens

Live

Password Strength Checker

Analyse password strength and entropy

Live

HMAC Generator

Generate HMAC signatures with SHA-256 or SHA-512

Live

TOTP Code Generator

Generate time-based one-time passwords

Live

Random Token Generator

Cryptographically secure random tokens and secrets

Live

API Key Generator

Generate formatted API keys instantly

Live

QR Code Generator

Generate QR codes for URLs and text

Live

Text Encryption Tool

AES-256 encrypt and decrypt text in browser

Soon

SSL Certificate Decoder

Decode and inspect PEM SSL certificates

Soon

Specialized versions

Why use browser-based security tools?

Every security tool on ToolKit runs 100% in your browser using the Web Crypto API. This means your passwords, plaintext inputs, and cryptographic keys never leave your device — there is no server to breach, no logs to leak, and no third party involved.

This is especially important for security-related operations. When you generate a password or compute a hash on a server-based tool, you're trusting that the operator doesn't log your input. With client-side tools, you don't need to trust anyone — the code runs locally and you can verify it using your browser's developer tools.

The OWASP Top 10 consistently lists broken authentication and cryptographic failures as the most critical web application security risks. Strong, unique passwords and proper hashing are the first line of defense against both.

Security best practices

Unique password per account

A single compromised password should never expose other accounts. Use a password manager to store unique generated passwords for every service.

Use SHA-256, not SHA-1

SHA-1 is deprecated and cryptographically broken. Use SHA-256 or SHA-512 for all new implementations.

Never hash passwords with SHA

SHA is too fast for password storage. Use bcrypt, Argon2id, or scrypt — algorithms designed to resist GPU brute-force attacks.

Verify file integrity with checksums

When downloading sensitive software, verify the SHA-256 checksum provided by the publisher against the hash you compute locally.

FAQ

Common questions

Are these security tools safe to use?

Yes. Every tool runs entirely in your browser using the Web Crypto API. No data — passwords, hashes, or keys — is ever sent to a server, stored, or logged.

What is the difference between hashing and encryption?

Hashing is one-way — you cannot reverse a hash. Encryption is two-way — data can be decrypted with the right key. Use hashing for integrity verification and password storage. Use encryption for data that needs to be recovered.

How long should a secure password be?

NIST recommends at least 15 characters for general accounts. For high-value accounts use 20+ characters with uppercase, lowercase, numbers, and symbols. Length matters more than complexity.

Should I use SHA-256 for storing passwords?

No. SHA-256 is too fast — attackers can try billions of guesses per second. Use bcrypt, Argon2, or scrypt for password storage.

What is a QR code used for in security?

QR codes are used for 2FA setup, sharing WiFi credentials, and encoding URLs. Use a client-side generator so sensitive data never leaves your device.

More tool categories

Developer Tools →Text & Writing →Design →Value Converter →AI →