Credential security
Generating strong passwords
Password Generator creates cryptographically random secrets with configurable length and character set. The built-in strength bar confirms your entropy.
Security category · 7 tools
Your secrets stay on your device.
Generate passwords, compute hashes and HMACs, decode JWTs, encrypt with AES, verify file checksums, and more — all in your browser, with nothing sent over the network.
7 tools
0 uploads
100% in-browser
// 7 tools
Password Generator
Strong, random passwords or passphrases generated entirely in your browser
Tr9xK@mZ4q!Rp7nW2vB#sY · 128 bits
Checksum Verifier
Upload a file, select an algorithm, and compare against an expected checksum — computed entirely in your browser. No data leaves your device.
Hash Generator
Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes of text or files entirely in your browser
SHA-256 · 6b86b273ff34fce19d6b804eff5a3f…
HMAC Generator
HMAC-SHA1 through SHA-512 with hex or Base64 output — runs in your browser.
JWT Decoder
Decode JWT header, payload, and signature. Check expiry and verify locally — in your browser.
AES Encrypt / Decrypt
Encrypt or decrypt text using AES-256-GCM, CBC, CTR, or ECB
Random String Generator
Generate cryptographically secure random strings, API keys, tokens, and secrets with custom character sets — entirely in your browser.
How to choose
Pick the right tool for your task
Data integrity
Verifying hashes and checksums
Hash Generator and Checksum Verifier compute digests from text or files. Compare against a published checksum to confirm downloads are intact.
API auth
HMAC signatures and JWT inspection
HMAC Generator signs messages with a shared secret. JWT Decoder parses header and payload, checks expiry, and verifies signatures locally.
Encryption
AES encrypt and decrypt
AES Encrypt / Decrypt supports GCM, CBC, CTR, and ECB with a passphrase or raw key — useful for protecting strings before sharing.
Random secrets
Random string generator
Random String Generator builds tokens, API keys, and test data with crypto-secure randomness and custom character sets.
Which tool?
Password vs. hash — what's the difference?
A password is a credential you give to users. A hash is a one-way fingerprint of data. Use Password Generator for login secrets; use Hash or Checksum tools when verifying data has not changed.
Browser crypto that actually makes sense
Tool Matic uses the same primitives production servers use — exposed by every modern browser through the Web Crypto API. Same library. No middleman.
Because nothing leaves your machine, you can hash a private key, generate a recovery secret, or paste a password without the usual risk surface.
What's under the hood
- Web Crypto API SHA, AES, ECDSA, HMAC — the same library your OS and bank already trust.
- Open and inspectable Every tool's code ships in the page. Read it in DevTools right now.
- Cryptographic randomness crypto.getRandomValues only. Never Math.random.
- Works fully offline Once the page has loaded, nothing else leaves your device.
Frequently asked questions
Are these online security tools safe to use?
Yes. Every Tool Matic security tool runs entirely in your browser. Inputs you paste or files you select are never uploaded to a server, so passwords, secrets, and tokens stay on your device.
Do Tool Matic security tools work offline?
Once a tool page has loaded, the cryptographic work runs locally without any further network calls. You can keep using the page in a flaky network or a fully offline browser tab.
What is the difference between hashing and encryption?
A hash is a one-way fingerprint of input data - useful for checksums and password storage but not reversible. Encryption is two-way and is used to protect data in transit or at rest. Use the Hash Generator for digests; choose an encryption tool when you need to recover the original value.
When should I use bcrypt instead of SHA-256?
Use bcrypt for storing user passwords because it is intentionally slow and salted, which resists brute-force attacks. Use SHA-256 (via the Hash Generator) for message integrity, file checksums, and content addressing where speed matters.
How do I decode a JWT without sending it to a server?
Open JWT Decoder, paste the token, and read the header and payload instantly. Optional signature verification uses your key locally — the token never leaves your browser.
When should I use HMAC instead of a plain hash?
Use a hash when you only need a fingerprint of data. Use HMAC when a shared secret must prove the message was not tampered with — common in webhooks and API signatures.