Security
Free Online Security Tools: Passwords, Encryption and Hashing
Published July 1, 2026 ยท 5 min read
Most free online tools that touch security have a structural problem: they ask you to upload sensitive data to a server you don't control, or require an account that logs and stores your activity. Browser-based security tools solve this by running all processing locally โ your password, plaintext, or photo never leaves your machine.
The tools below cover the full practical range of personal and developer security tasks: generating and checking passwords, hashing data for integrity verification, encrypting text, stripping photo metadata, and decoding web tokens. Everything runs in your browser, requires no sign-up, and stores nothing. The full collection is in the Nutilz tool library.
Password Generator
A password's strength comes from its entropy โ the number of possible combinations an attacker must search through. A 12-character password using only lowercase letters has about 2612 โ 95 billion possible values. Adding uppercase, digits, and symbols expands the character set from 26 to 94, pushing the search space to 9412 โ 475 quadrillion โ roughly 5 million times harder to brute-force.
The Password Generator creates cryptographically random passwords at any length with full control over character sets: uppercase, lowercase, digits, and symbols. Cryptographic randomness matters here โ unlike a standard random number generator, the browser's crypto.getRandomValues() API produces values that cannot be predicted from previous outputs, which is the property that makes passwords genuinely unguessable rather than just appearing random.
Practical guidance: 16+ characters with all character classes enabled is the standard recommended by NIST as of 2024. Longer is always better when a site permits it. Generate a unique password per site โ reuse is the single most exploited credential weakness.
Password Strength Checker
Generating a strong password is one problem. Auditing passwords you already have โ or checking whether a specific pattern you've been using is actually secure โ is a separate task.
The Password Strength Checker analyzes a password against the criteria that matter: length, character class diversity, presence of common patterns (dictionary words, keyboard walks like qwerty, repeated characters), and an estimated crack time based on current hardware benchmarks.
The crack time estimate is the most useful output. A password like Summer2024! scores moderately on character diversity but fails the dictionary + year pattern check โ an attacker running a rule-based attack against a leaked hash would crack it in minutes, not years. The checker surfaces exactly this kind of hidden weakness that a simple length check misses.
Hash Generator โ SHA-256, MD5 and More
Hashing and encryption are often confused. The key difference: encryption is reversible (you can decrypt with the right key), hashing is not (the hash cannot be reversed to recover the input). This makes hashing useful for three specific problems:
- File integrity verification. Download a file and run it through SHA-256. Compare the result to the hash published by the software author. If they match exactly, the file was not tampered with in transit.
- Password storage verification. Databases store password hashes, not plaintext. When you log in, the system hashes your input and compares it to the stored hash โ your actual password never touches a database in plaintext.
- Data fingerprinting. Hash a document or a block of text to produce a fixed-length fingerprint that uniquely identifies that exact input. Any change to the input โ even a single character โ produces a completely different hash.
The Hash Generator supports MD5, SHA-1, SHA-256, SHA-384, and SHA-512. Use SHA-256 or higher for any security-relevant purpose โ MD5 and SHA-1 have known collision vulnerabilities and should only be used for non-security checksums where legacy compatibility is required.
Worked example: paste the text hello and it produces the SHA-256 hash 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824. Change a single letter to Hello and the hash changes completely โ this "avalanche effect" is the core property that makes hashes useful for detecting any modification.
Text Encryption and the Caesar Cipher
Where hashing produces a one-way fingerprint, encryption produces a ciphertext that can be reversed given the correct key. For encrypting a message, note, or block of sensitive text before storing or sharing it, the Text Encrypt & Decrypt tool uses AES encryption to transform plaintext into an unreadable ciphertext string that can only be reversed with the same key.
A practical use case: you need to share a password or API key over an inherently insecure channel (email, a screenshot, a note in a shared doc). Encrypt it with a key you communicate separately via a different channel. The recipient pastes the ciphertext and the key into the decryption tool to recover the original. Without the key, the ciphertext reveals nothing about the content.
For understanding how classical ciphers work rather than for real security, the Caesar Cipher tool encodes and decodes text by rotating each letter a fixed number of positions. Julius Caesar reportedly used a shift of 3 โ A becomes D, B becomes E, and so on. It is trivially broken with frequency analysis but remains the canonical starting point for learning substitution cipher concepts.
EXIF Data Remover โ The Hidden Metadata in Your Photos
Every photo taken on a modern smartphone embeds a block of metadata in the image file called EXIF (Exchangeable Image File Format) data. This metadata routinely includes: the device make and model, date and time the photo was taken, camera settings (aperture, shutter speed, ISO), and โ depending on your phone settings โ the precise GPS coordinates of where the photo was captured.
The privacy implication is direct: sharing an unmodified photo can reveal your home location, workplace, or regular locations to anyone who checks the metadata. Social platforms like Instagram, Twitter, and Facebook strip EXIF data server-side before displaying images โ but any photo shared directly via email, messaging app, or file transfer retains the full metadata.
The EXIF Remover strips all embedded metadata from JPEG and PNG files in the browser. The file never leaves your machine โ processing happens locally and the cleaned image is returned as a download. Checking metadata before removing it (drop the file in and inspect what fields are present) is often more revealing than expected: an outdoor photo might contain GPS coordinates accurate to within 5 meters.
Base64 Encoder and JWT Decoder
Two tools primarily for developers that are frequently misunderstood from a security perspective:
Base64 is not encryption. It is a reversible encoding scheme that converts binary data (or any text) into a string of 64 safe ASCII characters. Its purpose is transport, not security โ it exists because some systems can only handle ASCII text and cannot transmit raw binary. Email attachments, data URLs, and binary content embedded in JSON all commonly use Base64 encoding. The Base64 Encoder/Decoder converts in both directions instantly. Anyone with the encoded string can decode it in seconds โ never use Base64 as a security measure.
JSON Web Tokens (JWTs) are Base64-encoded strings split into three parts: a header, a payload, and a signature. The header and payload are not encrypted โ they are Base64-encoded JSON that any party can read. The signature verifies that the token was issued by a trusted server and has not been tampered with. The JWT Decoder parses a JWT and displays the header and payload in readable JSON, which is essential when debugging auth issues โ confirming the token contains the expected claims, checking expiry timestamps, and verifying the algorithm field before implementation.
Frequently Asked Questions
Are these tools safe to use for sensitive passwords or private text?
Yes โ all processing runs entirely in your browser. The tools never send your input to a server. You can verify this by disconnecting from the internet and confirming the tools still work: the processing is local JavaScript, not a server call. For particularly sensitive operations, disconnect from Wi-Fi before use as an additional precaution.
What is the difference between encryption and hashing?
Encryption is reversible: given the ciphertext and the key, you recover the original plaintext. Hashing is one-way: the hash cannot be reversed to recover the input. Use hashing when you need to verify data integrity or store a password fingerprint. Use encryption when you need to recover the original data later.
Which algorithm should I use for the hash generator?
SHA-256 is the practical default for 2026. It is the algorithm used by Bitcoin, TLS certificates, and most modern software distribution for integrity verification. Avoid MD5 and SHA-1 for any security purpose โ both have known collision vulnerabilities. SHA-512 provides a larger output (512 bits vs. 256 bits) with marginally higher security but is rarely necessary for typical use cases.
Can a Caesar cipher be broken?
Trivially โ there are only 25 possible shifts, so the cipher can be exhaustively tried by hand in minutes. Against a computer, it breaks in microseconds. The Caesar cipher is valuable for educational purposes (understanding substitution ciphers, frequency analysis) but offers no practical security for real data. Use the Text Encrypt & Decrypt tool for any actual encryption need.
Do photos shared on social media still contain EXIF data?
Major platforms (Instagram, Facebook, Twitter/X) strip EXIF metadata before displaying images publicly. However, direct file sharing โ email attachments, WhatsApp, Telegram, Dropbox links, and most messaging apps โ typically preserves the original file including all metadata. Strip EXIF data before sharing photos directly rather than through a major platform.
All tools described in this post are free, require no account, and run entirely in your browser. The complete Nutilz security and privacy tool collection is available at the Nutilz homepage, alongside 80+ tools for finance, development, text, design, and wellness.