100% local — nothing transmitted Crypto
🔒 Hashing
🔐 Encryption
📖 Documentation

Hashing is irreversible. It transforms your text into a unique fixed-size fingerprint. Impossible to retrieve the original text. Everything is calculated locally in your browser.

✏️ Text to hash
0 char.
📋 Results
MD5128 b
SHA-1160 b
SHA-256256 b
SHA-384384 b
SHA-512512 b
bcrypt cost

Why is bcrypt different? MD5/SHA compute in microseconds — bcrypt intentionally takes ~100ms (cost 10). An attacker trying millions of passwords will be thousands of times slower. SHA-256 of a common password can be cracked in seconds. bcrypt resists much better.

🧮 Algorithms
MD5
128 bits · 32 hex
⚠ Deprecated
File integrity only. Never for passwords.
SHA-1
160 bits · 40 hex
✕ Obsolete
Collision proven (2017). Avoid.
SHA-256
256 bits · 64 hex
✓ Standard
Current reference. Bitcoin, TLS, JWT.
SHA-384
384 bits · 96 hex
✓ Solid
Good size / security compromise.
SHA-512
512 bits · 128 hex
✓ Robust
Maximum of SHA-2 family.
bcrypt
Adjustable cost factor
✓ Passwords
Intentionally slow. Ideal for storing passwords.

Encryption is bidirectional. With the right key, the original message can be recovered. Without the key, the content is unreadable. Choose an algorithm family.

🔒 Symmetric
🗝 Asymmetric (RSA)
✍️ HMAC / Signature

Same key to encrypt and decrypt. Share the encrypted message freely, but transmit the key only via a separate and secure channel.

🧪 Test module
1
Test key: FlownectTest2024!
2
Message: "This is a secret message."
3
🔒 Encrypt
Strength: —
Encrypted result
The result will appear here…
🔓 Decrypt
Strength: —
Decrypted text
The result will appear here…

How it works (AES-GCM)? Your key is derived via PBKDF2 (100,000 iterations). A random salt and unique IV are generated on each encryption. The Base64 result contains: salt (16 bytes) + IV (12 bytes) + encrypted data. Without the key = unreadable.

Three often-confused concepts: hashing is irreversible (fingerprint), encryption is reversible with a key, encoding (Base64, Hex) is not security — anyone can decode.

🔒 Hashing — Irreversible fingerprint
A hash transforms any data into a fixed-length character string. Even a whole novel produces a 64-character SHA-256. The same input always gives the same hash. But it is mathematically impossible to retrieve the input from the hash.
SHA-256("hello") → 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 SHA-256("Hello") → totally different result (1 character changes everything) SHA-256("a 500-page novel...") → always 64 characters
AlgorithmSizeStatusRecommended use
MD5128 bitsDeprecatedNon-critical file integrity only
SHA-1160 bitsObsoleteAvoid — collision demonstrated in 2017
SHA-256256 bitsStandardSignatures, integrity, JWT, Bitcoin
SHA-512512 bitsRobustHigh security, critical files
bcryptVariablePasswordsOnly reasonable option for storing passwords

Why do "MD5 decryption" sites work? They don't decrypt anything. They've pre-computed millions of common hashes (rainbow tables). If your text is common, they find it. If it's unique, impossible. bcrypt with random salt makes these tables useless.

🔐 Symmetric encryption — One key for both
Same key to encrypt and decrypt. Fast, efficient for protecting files or messages. The challenge: how to securely transmit the key to the other person?
AlgorithmStatusKey points
AES-256-GCM2024 StandardEncryption + message authentication. NIST recommended. Used by TLS 1.3, WhatsApp, Signal.
AES-256-CBCValidOlder, no built-in authentication. Very widespread (legacy).
3DESDeprecatedTriple DES. Slow, short key. Still in some old banking systems.
ChaCha20-Poly1305ModernAlternative to AES, faster on mobile/CPU without hardware acceleration. TLS 1.3, WireGuard.
Encrypted message structure (AES-GCM):
[SALT 16 bytes][IV 12 bytes][ENCRYPTED DATA + GCM TAG] → Base64 The salt and IV are public by design — they do not compromise security. What is secret: only your key.
🗝 Asymmetric encryption — Public / private key
Two mathematically linked keys. What one encrypts, only the other can decrypt. The public key can be shared freely — no one can use it to decrypt.
Alice generates: public key (shareable) + private key (secret) Bob encrypts with Alice's PUBLIC key → only Alice can decrypt with her PRIVATE key → even Bob can no longer read what he sent

RSA limitation: RSA can only encrypt short messages. In practice (HTTPS, emails), an AES key is encrypted with RSA, then the data with AES — this is hybrid encryption.

✍️ HMAC — Authenticity without encryption
HMAC does not encrypt the message — it signs it. The content remains readable, but you can prove it has not been altered and that it indeed comes from someone who has the secret key. Massively used in REST APIs, JWTs and webhooks.
// Verifying a GitHub webhook: HMAC-SHA256(received_payload, secret_key) === signature_in_header ? → YES: payload comes from GitHub, unmodified → NO: payload altered or incorrect key
✅ Best practices

AES-256-GCM to encrypt data, messages, files.

bcrypt to store passwords in database.

SHA-256 to verify integrity of a downloaded file.

HMAC-SHA256 to authenticate API requests or webhooks.

✅ A good key = 12+ characters, uppercase + lowercase + digits + symbols.

✅ Transmit the key and encrypted message via separate channels.

❌ Never use MD5 or SHA-1 for passwords.

❌ Don't confuse Base64 with encryption — it's just encoding.

❌ Never send key + encrypted message together in the same message.

❌ Never store an RSA private key in a publicly accessible location.