ToolKit

Security Tools

Free Online Security Tools

Browser-based security utilities that run entirely on your device. Generate cryptographically strong passwords, compute SHA hashes, decode JWT tokens, and create QR codes — without sending any data to a server.

Password Generator
Strong random passwords with custom settings
Live
Hash Generator
SHA-1, SHA-256, SHA-384, SHA-512 hashes
Live
Bcrypt Generator
Hash and verify passwords with bcrypt
Soon
JWT Decoder
Decode and inspect JWT tokens
Soon
QR Code Generator
Generate QR codes for URLs and text
Soon

Why use browser-based security tools?

Every security tool on ToolKit runs 100% in your browser using the Web Crypto API. This means your passwords, plaintext inputs, and cryptographic keys never leave your device — there is no server to breach, no logs to leak, and no third party involved.

This is especially important for security-related operations. When you generate a password or compute a hash on a server-based tool, you're trusting that the operator doesn't log your input. With client-side tools, you don't need to trust anyone — the code runs locally and you can verify it using your browser's developer tools.

The OWASP Top 10 consistently lists broken authentication and cryptographic failures as the most critical web application security risks. Strong, unique passwords and proper hashing are the first line of defense against both.

Security fundamentals every developer should know

Unique password per account
A single compromised password should never expose other accounts. Use a password manager (Bitwarden, 1Password) to store unique generated passwords for every service.
Use SHA-256, not SHA-1
SHA-1 is deprecated and considered cryptographically broken. Use SHA-256 or SHA-512 for all new implementations. SHA-256 is the current standard for TLS, code signing, and API authentication.
Never hash passwords with SHA
SHA is too fast for password storage. Use bcrypt, Argon2id, or scrypt — algorithms designed to be deliberately slow and resistant to GPU-accelerated brute-force attacks.
Verify file integrity with checksums
When downloading sensitive software or configuration files, verify the SHA-256 checksum provided by the publisher against the hash you compute locally.

FAQ

Common questions

Are these security tools safe to use?

Yes. Every tool on this page runs entirely in your browser using the Web Crypto API. No data — passwords, hashes, or keys — is ever sent to a server, stored, or logged. You can verify this by checking your network tab while using the tools.

What is the difference between hashing and encryption?

Hashing is a one-way process — you cannot reverse a hash to get the original input. Encryption is two-way — data can be decrypted with the right key. Use hashing for integrity verification and password storage (with bcrypt/Argon2). Use encryption for data that needs to be recovered.

How long should a secure password be?

NIST recommends at least 15 characters for general accounts. For high-value accounts like email or banking, use 20+ characters with a mix of uppercase, lowercase, numbers, and symbols. Length matters more than complexity.

Should I use SHA-256 for storing passwords?

No. SHA-256 is too fast — attackers can try billions of guesses per second. Use bcrypt, Argon2, or scrypt for password storage. These are intentionally slow algorithms designed to resist brute-force attacks.

What is a QR code used for in security?

QR codes are commonly used for two-factor authentication (2FA) setup, sharing WiFi credentials securely, and encoding URLs or contact information. When generating QR codes for sensitive data, use a client-side tool like this one so the data never leaves your device.

More tool categories