Category
Hashing & crypto
Every tool and article in this category, gathered in one place.
Tools
Hash Generator (SHA-1/256/384/512)
Compute SHA-1, SHA-256, SHA-384, and SHA-512 digests of any text, shown as hex and Base64, using the browser's native Web Crypto. Runs entirely in your browser.
Hash Preimage Finder
Watch a bounded, local brute-force search recover a weak hash input in seconds, or run out of keyspace on anything with real entropy. No wordlist, no table, just your browser. A demonstration of why fast, unsalted hashes fail.
HMAC Generator (SHA-256/384/512)
Compute a keyed HMAC over a message with your secret key, shown as hex and Base64, via the browser's native Web Crypto. The same construction the JWT verifier uses for HS256. Your key never leaves your browser.
Articles
Hashing, encryption, and encoding: three different things
Three operations that get constantly confused, separated cleanly by two questions: is it reversible, and does it need a key?
ReadCryptographic hashing: SHA-256 and the SHA-2 family
What a hash function guarantees, the properties that make it cryptographic, and why a digest is not encryption.
ReadChoosing a hash: MD5, SHA-1, SHA-2, SHA-3, and BLAKE
Which hash functions are still safe, which are broken, what their output sizes are, and how to pick the right one.
ReadCollisions, preimage resistance, and the birthday bound
The three security properties a cryptographic hash must have, why collisions matter, and the birthday math that sets the real strength.
ReadStoring passwords: bcrypt, scrypt, and Argon2
Why a fast hash like SHA-256 is the wrong tool for passwords, and what salting and work factors actually do.
ReadHMAC: keyed hashing for message authentication
Why a plain hash proves integrity but not authenticity, how a secret key fixes that, and why HMAC's structure matters.
ReadWhy HMAC, and not hash(key + message)
The length-extension attack that breaks naive keyed hashing, and the nested construction HMAC uses to defeat it.
ReadAuthenticating API requests with HMAC
How a shared secret and a hash let a server trust a request it did not see being made, and how replay protection fits in.
ReadVerifying an HMAC safely: constant-time and replay
Why comparing signatures with == leaks a timing side channel, and why a valid signature alone does not stop a replayed request.
ReadWhy Cryptographic Hashes Are One-Way
A cryptographic hash maps any input to a fixed-size digest and is designed so that recovering the input from the digest is infeasible. That property, preimage resistance, is why you cannot decrypt a hash. The only ways to reverse one are to look it up or to guess-and-check, both of which are search, not inversion.
ReadBrute Force vs Lookup Tables: Two Ways to Reverse a Hash
Since a hash cannot be inverted, reversing one means searching, and there are two families. Precompute a giant table of input-to-hash pairs and look the hash up (what CrackStation does), or generate candidates on the fly and hash each until one matches (brute force). They trade storage for compute in opposite directions.
ReadWhy Salting Defeats Precomputed Tables
A salt is a unique random value stored with each password hash and mixed in before hashing. It makes identical passwords hash differently, which destroys the economics of precomputed tables: an attacker would need a separate table for every salt. Salting is the specific defense that neutralizes lookup services and rainbow tables.
ReadSlow KDFs: bcrypt, scrypt, and Argon2
Salting defeats precomputation but not a targeted guess-and-check attack; a fast hash still lets an attacker try billions of candidates per second. Slow key derivation functions fix that by making each guess deliberately expensive and tunable, cutting an attacker's rate by many orders of magnitude. These are what you should store passwords with.
ReadKeyspace, Entropy, and Crack Time
Whether brute force can reverse a hash comes down to keyspace size versus the attacker's hashing rate. Keyspace grows exponentially with length and alphabet, so a few extra characters move a secret from cracked in seconds to infeasible for millennia. This is the arithmetic behind why length and randomness matter most.
ReadChoosing a Password Hash
Storing passwords safely is a solved problem: use a purpose-built, salted, slow password hash, not a raw digest. This is a short decision guide, from the algorithm to pick to the parameters to set and the mistakes to avoid, aligned with OWASP and NIST guidance.
Read