Security
Browse 11 professional tools
CSP Builder
Data Breach Checker
Encryption Playground
Hash Generator
Passphrase Generator
Password Generator
SSH Key Generator
SSL Certificate Analyzer
SSL Certificate Checker
Text Encryption Tool
TOTP Authenticator
Security tools fall into two camps — primitives (hash, encrypt, generate keys) and verifiers (SSL checker, breach checker, certificate analyzer). The dangerous category is the primitives: a tool that "encrypts" without authentication, or generates a "secure" password using Math.random, is worse than no tool at all. Everything here uses Web Crypto API (AES-GCM, PBKDF2, ECDSA, Ed25519) and crypto.getRandomValues — the same primitives that TLS and SSH use. All run locally; passphrases and secrets never leave the tab.
Credentials & secrets
Diceware passphrases (EFF long word list) give 12.92 bits of entropy per word — six words ≈ 77 bits, comparable to a 12-character random password but actually memorizable. TOTP is computed locally via the standard HMAC-SHA1 dynamic-truncation algorithm.
Generate strong random passwords with letters, numbers, symbols. Customizable length and complexity. Free secure password generator online
Generate secure passphrases using Diceware and EFF wordlists. Create memorable yet strong passwords. Free online passphrase maker
Generate 2FA codes (Google Authenticator compatible). Add secrets manually or scan QR codes. Free online TOTP generator for testing two-factor authentication
Generate SSH key pairs (RSA, Ed25519) in your browser. Export in OpenSSH or PEM format. Secure client-side key generation. Free online SSH keygen tool
Hashing & encryption
AES-256-GCM with PBKDF2-derived keys (600k iterations, OWASP 2023). For verifying downloads, prefer SHA-256 published by the source over the same channel that delivered the file — checksums on the same mirror as the file catch corruption but not malicious modification.
Generate MD5, SHA-1, SHA-256, SHA-512 hashes from text or files. Verify file checksums. Free online hash calculator and checksum generator
Calculate MD5, SHA-1, SHA-256, SHA-512 checksums for files. Verify file integrity and compare hashes. Free online file hash calculator
Encrypt and decrypt text with AES-256 encryption. Secure message encryption with password protection. Free online text encryptor/decryptor
Learn how AES and RSA encryption works step by step. Visualize encryption process, key generation, and cipher operations. Interactive cryptography tutorial
TLS / certificates
SSL Checker fetches the live certificate chain and flags weak signatures (SHA-1), missing intermediates, and short renewal windows. CSP Builder produces correct script-src / frame-ancestors / object-src directives; default to nonce-based or strict-dynamic for new sites.
Check SSL certificate for any domain. View expiration date, issuer, certificate chain. Verify HTTPS security and get SSL rating
Analyze X.509 SSL/TLS certificates. View issuer, validity, SANs, certificate chain. Check SSL certificate details. Free online certificate decoder
Build Content-Security-Policy headers visually. Add directives, sources, preview policy. Free online CSP generator for web security
Debug CORS issues, analyze headers, generate server configurations. Support for Express, Nginx, Apache, Django, Flask, Spring Boot. Learn CORS concepts. Free online CORS tester
Breach awareness
Queries Have I Been Pwned via the k-anonymity API (SHA-1 prefix only, never the full email/hash). Most email addresses active since 2010 appear in 5+ breaches; the action item is unique passwords per site (password manager) plus 2FA, not panic.
Frequently asked questions
Are these cryptographically safe?
For primitives that ship in modern browsers (Web Crypto API: AES-GCM, ECDSA, PBKDF2, getRandomValues), yes — these are the same building blocks that TLS uses. The risk is implementation: a bad parameter choice (reused IV, weak KDF cost) can make safe primitives unsafe. We document the parameters in each tool so you can audit.
Should I trust a web page with my production secrets?
No web tool, including these, should handle production secrets. Even if no data leaves the tab, an XSS in the page or a malicious extension can read it. Use these for: throwaway test data, learning, debugging your own crypto code with known test vectors. For production secrets: a real password manager and KMS.
What is the difference between hashing and encrypting?
Hashing is one-way: given the hash you cannot recover the input. Used for password storage (use bcrypt / Argon2id, not SHA-256), file integrity, signatures. Encryption is two-way: with the key you recover the input. Use AES-GCM (authenticated) for confidentiality; never store passwords encrypted.
How often should I rotate passwords?
NIST 800-63B since 2017: do not rotate on a calendar. Rotate when there is evidence of compromise (breach, suspected leak). Forced calendar rotation makes users pick weaker, more memorable passwords — net negative.
Last updated · E-Utils editorial team