Crypto & Security Tools
Hash, sign, encrypt, and generate keys in the browser — from SHA-256 and HMAC to AES-GCM, RSA, Ed25519, TOTP, and BIP39.
What are crypto and security tools and when do you need them?
Applied cryptography shows up in more everyday engineering work than most developers expect. You hash a password before storing it, sign a webhook payload so the receiver knows you sent it, encrypt a configuration blob so a teammate can share it safely, or verify the SHA-256 of a downloaded binary before running it. Each of those tasks has a best-practice primitive behind it, and most of those primitives are one short call away in the Web Crypto API that every modern browser ships. The Crypto & Security category exposes those primitives directly so you do not have to wire up a Node script every time you want to compute a hash.
The category is designed for two audiences. Application developers who need correct defaults fast (hash this string, encrypt this text, check this signature) and DevOps or platform engineers who are poking at artifacts during an incident (what is the checksum of this file, does this Ethereum address pass EIP-55, is this TOTP seed still producing the codes the user sees). Everything runs locally against the browser crypto APIs, so you can paste a private key into the signing tools without worrying about server logs.
Hashing and integrity
Hashes answer the question "has this data changed". The Hash Generator covers MD5, SHA-1, SHA-256, SHA-384, and SHA-512 so you can match whatever fingerprint a vendor or package registry publishes. Checksum Calculator adds CRC32 and works on file input, which is what you reach for when validating a download or comparing two binary builds. Rule of thumb: MD5 and SHA-1 only for non-adversarial sanity checks, SHA-256 or stronger for anything security-sensitive.
Authentication and signing
Authenticated messages need HMAC, not a raw hash. HMAC Generator produces SHA-256, SHA-384, or SHA-512 tags from a shared secret, which is what Stripe, GitHub, Slack, and almost every webhook provider uses to prove a request came from them. For asymmetric signing — releases, SSH keys, blockchain transactions — Ed25519 Key Generator produces modern elliptic-curve pairs and can sign and verify messages in place. RSA Key Pair Generator is there for the cases where you need PEM output that slots into OpenSSL, older TLS workflows, or legacy SDKs that only accept RSA.
Passwords and second factors
Password hashing is its own category within crypto because speed is the enemy. Bcrypt Hash lets you pick a cost factor, hash a candidate, and verify an existing hash, so you can prototype auth flows without pulling a library just to eyeball a value. TOTP Generator implements RFC 6238 and produces the same six-digit codes that Google Authenticator and 1Password show, which is invaluable when you are debugging an MFA integration and need to confirm the server and the user agree on the current window.
Encryption at rest and in transit
AES Encrypt / Decrypt uses AES-GCM with PBKDF2-derived keys, which is the combination you want for encrypting a configuration blob, a clipboard-shared secret, or any payload that needs confidentiality and integrity together. GCM prevents bit-flipping attacks that plain CBC does not, and PBKDF2 makes password-based keys slow enough to resist offline guessing. The UI shows the salt and IV it generated so you can decrypt on another machine without shipping the browser session around.
Blockchain-adjacent primitives
Web3 work pulls in a handful of specialized utilities. Ethereum Address Checksum converts to EIP-55 mixed-case format and flags typos before you send a transaction to a hand-typed address. Crypto Unit Converter translates between ETH, Gwei, Wei, BTC, and Satoshi without floating-point surprises. BIP39 Mnemonic Generator produces and validates the 12- or 24-word seed phrases used by most hardware wallets, which is the right format to share recovery codes with users or test wallet restoration flows.
Tools in this category
Every tool below uses browser-native crypto APIs. Keys, plaintexts, and signatures stay in the tab.
Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-384, SHA-512 hashes from text with real-time computation.
HMAC Generator
Generate HMAC signatures using SHA-256, SHA-384, SHA-512 with a secret key.
Checksum Calculator
Calculate CRC32, MD5, SHA-1, SHA-256, SHA-512 checksums for text and files with verification.
Bcrypt Hash
Generate and verify bcrypt password hashes with configurable rounds.
AES Encrypt / Decrypt
Encrypt and decrypt text using AES-GCM algorithm with PBKDF2 key derivation.
TOTP Generator
Generate time-based one-time passwords (TOTP). Compatible with Google Authenticator.
RSA Key Pair Generator
Generate RSA public and private key pairs in PEM format with 2048/4096 bit key sizes.
Ed25519 Key Generator
Generate Ed25519 key pairs, sign messages, and verify digital signatures with high-performance elliptic curve cryptography.
Ethereum Address Checksum
Convert Ethereum addresses to EIP-55 checksum format and validate address integrity.
Crypto Unit Converter
Convert between ETH, Wei, Gwei, BTC, and Satoshi units with precise calculations.
BIP39 Mnemonic Generator
Generate and validate BIP39 mnemonic seed phrases (12/24 words) and convert to seed.
Common use cases
Verifying a webhook signature locally
A payment provider posts a webhook and your handler rejects it with a 401. Copy the raw body and the timestamp into HMAC Generator, paste your signing secret, and compute the expected SHA-256 tag. Compare it byte-for-byte with the header the provider sent. Nine times out of ten the mismatch is a trailing newline or a wrong-key copy from the dashboard, both of which are obvious once you can see both tags side by side.
Storing passwords correctly
Before rolling your own auth, sanity-check the hash format you plan to persist with Bcrypt Hash. Generate a hash at cost 10, then cost 12, and measure how long each takes on your own laptop. That gives you a feel for how aggressive you can be before the login request budget breaks, and the verify mode confirms that your downstream code is comparing hashes the same way bcrypt does.
Checking a downloaded artifact before running it
Upstream releases publish SHA-256 sums. Drop the downloaded file into Checksum Calculator, pick SHA-256, and compare against the value on the release page. If the values match, the binary is the one the publisher signed off on. If they do not, stop before you run it. The same tool covers CRC32 for legacy build systems and firmware updaters.
Prototyping an SSH or signing key
Need an ephemeral keypair for a demo or a test account? Generate one with Ed25519 Key Generator and sign a sample payload in the same tool to confirm the verify side works end to end. When you need PEM output for a system that still prefers RSA, use RSA Key Pair Generator and pick 2048 or 4096 bits depending on the compliance bar you are meeting.
Related guides
How to Generate Secure Passwords in 2026: A Complete Guide
Learn why strong passwords matter and how to generate secure passwords using entropy, length, and complexity. Includes practical tips and free tools.
Understanding Hash Functions: MD5 vs SHA-256 Explained
Deep dive into cryptographic hash functions. Compare MD5 and SHA-256 in terms of security, speed, and real-world applications.
Linux File Permissions and Chmod: A Practical Guide for Developers
Master Linux file permissions and the chmod command. Learn numeric and symbolic notation, common patterns like 755 and 644, and security best practices.
JWT Tokens Explained: A Developer's Guide to JSON Web Tokens
Understand JWT tokens from the inside out. Learn the structure, authentication flow, signing algorithms, and security best practices for JSON Web Tokens.
Frequently asked questions
Is it safe to use browser-based crypto tools with real secrets?
BeautiCode runs every crypto operation client-side using the Web Crypto API, so your keys, plaintexts, and hashes never leave the tab. That makes it acceptable for inspecting tokens, verifying checksums, and prototyping key pairs on a trusted machine. For long-lived production secrets you still want a real KMS or HSM, because a browser tab is a weaker trust boundary than a hardened server or hardware module.
When should I pick SHA-256 over MD5 or SHA-1?
Default to SHA-256 for anything that touches security: authentication, file integrity, API signatures, blockchain. MD5 and SHA-1 are both broken against collision attacks and should only be used for non-adversarial checksums where you are protecting against accidental corruption rather than a motivated attacker. The Hash Generator exposes every family so you can pick the right one per use case.
Why should I store passwords with bcrypt instead of SHA-256?
Fast hashes like SHA-256 are designed to be cheap, which is the opposite of what you want when hashing passwords. Bcrypt is deliberately slow and tunable through a cost factor, so an attacker with a leaked database has to spend meaningful CPU on every guess. The Bcrypt Hash tool lets you experiment with cost factors to pick one that is tolerable for your login flow but expensive for a cracker.
What is the difference between HMAC and a raw hash?
A raw hash commits to the data but not to a secret, so anyone can recompute it. HMAC mixes a shared secret key into the hash, which proves that whoever produced the tag also knew the key. Use HMAC for webhook signatures, API request signing, and session tokens; use a raw hash for file fingerprints or cache keys where authenticity is not the concern.
RSA or Ed25519 for new projects?
Ed25519 for almost everything new. Keys are 32 bytes instead of hundreds, signing and verification are faster, and there are fewer sharp edges around padding and parameter choices. RSA still matters when you need to interoperate with legacy systems, TLS certificates with specific CA requirements, or libraries that only ship RSA support. Both are available in the category and produce standards-compliant output.