Question 1

Are these password tools actually safe? Where does my password go?

Accepted Answer

Every tool on this page runs 100% inside your browser using the Web Crypto API and open-source JavaScript libraries. Nothing is sent to any server — there are no API calls, no logs, no telemetry that includes your password or hash. You can verify this with your browser's DevTools Network tab: type a password, click Generate, and watch the network panel stay empty. The page itself was delivered over HTTPS, but no outbound request fires when you generate. This is the same model used by emn178/online-tools and the openssl-online community of pages, but with stricter privacy: no third-party analytics inside the tool flow, no ads that load external scripts.

Question 2

Which hashing algorithm should I use for storing user passwords?

Accepted Answer

OWASP's current (2024) recommendation for password storage is Argon2id with at least 19 MiB memory, 2 iterations, and 1 degree of parallelism, or bcrypt with cost at least 10. Argon2id (RFC 9106) is the winner of the 2015 Password Hashing Competition and is specifically designed to be expensive on GPUs and ASICs. Bcrypt (1999) remains an acceptable choice — it's well-tested, widely supported, and present in every major language. Avoid PBKDF2 unless you're stuck on FIPS-validated cryptography (Argon2 and bcrypt aren't FIPS-approved). Never use plain MD5, SHA-1, SHA-256, or SHA-512 for password storage — those are message digests, not password hashing functions. They run at billions of guesses per second on a single GPU, which makes any password under 14 truly random characters crackable.

Question 3

What's the difference between hashing and encryption?

Accepted Answer

Hashing is one-way: you compute a hash from input, but you can't reverse the hash to recover the input. Encryption is two-way: anyone with the key can decrypt the ciphertext back to plaintext. Password storage uses hashing because you don't need to recover the user's plaintext password — you just need to check whether the password they typed at login matches what was stored. Encryption is appropriate when you need the original value back later: storing API tokens you'll send to a third party, encrypting file contents, encrypting data at rest. A common mistake is to encrypt passwords with a symmetric cipher like AES — this is much worse than hashing them, because anyone who steals the database also steals (or can crack) the encryption key.

Question 4

Why does it matter if my random source is cryptographically secure?

Accepted Answer

Math.random() in JavaScript is a fast non-cryptographic PRNG. It produces statistically uniform output but is fully predictable to anyone who observes a few outputs — attackers can recover the internal state and replay future outputs. crypto.getRandomValues() uses the browser's CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) seeded from the operating system's entropy pool (/dev/urandom on Linux/macOS, CryptGenRandom on Windows). Outputs cannot be predicted even by an attacker who observes prior outputs. Every random value generated by these tools — passwords, salts, PINs, JWT secrets — uses crypto.getRandomValues. This is critical: a password generator using Math.random is no better than a deterministic counter once an attacker recovers state.

Question 5

What's MD5 still good for?

Accepted Answer

MD5 has been collision-broken since 2004 and is unsuitable for any security purpose. It can still be used safely for non-security checksums: verifying file integrity against accidental corruption (download verification), deduplication keys in caches, ETags in HTTP, fingerprints in non-adversarial data structures. It also remains in use for legacy compatibility: Apache APR1, WordPress phpass, NTLM (MD4-based but in the same family). When you see MD5 in those contexts, it's not because MD5 is secure — it's because the format was designed before MD5's collision attacks were practical, and changing it would break backwards compatibility. Never use MD5 to hash a password, sign a document, or detect tampering by an adversary.

Question 6

Can I trust client-side cryptography?

Accepted Answer

Yes, with one caveat: the JavaScript that runs the crypto has to come from a source you trust. With these tools, the page is served over HTTPS from dnschkr.com, the code is open-source (you can View Source and inspect it), and the cryptographic primitives are either the browser's native Web Crypto API or well-audited libraries (bcryptjs, scrypt-js, crypto-js, js-sha3). The actual computation happens in your browser — there's no way for the server to see your password. The threat model client-side crypto cannot address is a compromised browser or a malicious browser extension that reads page contents. If you're protecting against those threats, you need an air-gapped offline machine, not a browser-based generator. For 99% of password generation use cases (generating a strong password to paste into a password manager, hashing a password for a config file, creating an htpasswd entry), client-side crypto in a major browser is appropriate.

Question 7

Why does WordPress still accept MD5 passwords in 2026?

Accepted Answer

WordPress's wp_check_password() function detects 32-character hex strings as legacy MD5 hashes and validates the user's typed password against the stored MD5. On a successful login it automatically rehashes the password to the current default (phpass for WP 2.5–6.7, bcrypt for WP 6.8+) and updates wp_users.user_pass. This back-compat exists because WordPress upgraded from plain MD5 to phpass in 2008 (version 2.5) and rather than force-rehash every user (which is impossible without their plaintext password), the upgrade is opportunistic. The WordPress Password Hash Generator on this site uses this fact: you can paste plain MD5 directly into the user_pass column for an emergency password reset, and WordPress will accept it on the next login attempt. The MD5 will only exist in the database until that next login — once the user logs in, it's replaced with a modern hash.

Question 8

Do you log any of this? Show me proof.

Accepted Answer

No password, no hash, no input, and no output is logged. The pages on this site collect anonymous analytics (page views, country-level location, browser type) using Google Analytics, but the analytics SDK does not have access to form inputs or the generated outputs — those exist only in your browser's memory. You can prove this with two tests: (1) open DevTools → Network tab → generate a password → confirm no network request was sent containing the password or hash; (2) View Source on any tool page → search for the words 'fetch' or 'XMLHttpRequest' inside the password generation flow → confirm there are none. Every tool's source is published; the underlying crypto runs in your browser via the Web Crypto API or open-source libraries that you can inspect line by line.

Goal	Use	Why
Pick a new password for an account	Password Generator	Random 16+ characters. Paste into your password manager.
Pick a master password you have to type	Passphrase Generator	Memorable, typeable, still strong (4+ Diceware words).
Hash user passwords in your app database	Argon2 or bcrypt	Slow, salted, designed for password storage. Never use plain MD5/SHA.
Protect an Apache or Nginx directory	HTPasswd Generator	Outputs the exact line format `htpasswd` writes.
Reset a WordPress password via the database	WordPress Hash	Three formats — phpass, $wp$ bcrypt, legacy MD5.
Verify a file integrity checksum	SHA-256	Native browser implementation. Fast, correct, standard.
Figure out what a hash is	Hash Identifier	Pattern-based detection across 50+ formats.

Password Tools

Password Generators

Strong Password Generator

Diceware Passphrase Generator

Memorable Password Generator

PIN Generator

WiFi Password Generator

API Key Generator

JWT Secret Generator

Password Hashing

Bcrypt Generator & Verifier

Argon2 Hash Generator

Scrypt Hash Generator

PBKDF2 Generator

Hash Utilities

MD5 Hash Generator

SHA-1 Hash Generator

SHA-256 Hash Generator

SHA-512 Hash Generator

SHA-3 (Keccak) Generator

HMAC Generator

Hash Identifier

Password Strength Checker

Platform-Specific Hashes

HTPasswd Generator

APR1 Generator

WordPress Password Hash

Drupal Password Hash

Django Password Hash

MySQL Password Hash

PostgreSQL Password Hash

Linux Shadow Hash

NTLM Hash Generator

How to Choose the Right Tool

Why Browser-Based?

Frequently Asked Questions