FreeTool
Security Tools

Password Security in the Browser: Generate, Encrypt, Hash, and Test — No Server Needed

A practical guide to browser-based password and encryption tools — generate strong passwords, encrypt text with AES-256, hash passwords with PBKDF2, and check your password strength instantly.

7 min read

Padlock on laptop keyboard representing digital security

Every developer and security-conscious user eventually needs the same set of tools: generate a strong password, encrypt a piece of sensitive text, hash a password for storage, or verify that a hash matches. These used to require installing OpenSSL or a dedicated app. Today, the Web Crypto API is powerful enough to do all of it inside the browser — with zero server round-trips and zero data leaving your device.

Here's a tour of the essential tools and how to use each one effectively.

1. Password Generator: The Right Way to Create Passwords

Humans are terrible at creating random passwords. We unconsciously use patterns — dictionary words, names, years, keyboard walks like qwerty123. A true random password generator avoids all of this.

Our Password Generator uses crypto.getRandomValues() — the cryptographically secure random number generator built into every modern browser. What makes it different from Math.random():

  • Math.random() is a pseudorandom sequence — predictable if you know the seed
  • crypto.getRandomValues() draws from OS-level entropy — truly unpredictable

Recommended settings:

Use case Length Options
Website login 16+ Upper, lower, numbers, symbols
Database password 24+ All character sets
Encryption key passphrase 32+ All character sets
PIN (device unlock) 8+ Numbers only

What to avoid:

  • Passwords under 12 characters (brutable with modern GPUs)
  • Symbol-only passwords (many services reject them)
  • Passwords you've used anywhere before

2. Password Strength Checker: Know Before You Submit

Before setting a password — or when auditing existing ones — run it through our Password Strength Checker. It evaluates:

  • Length score — longer is always better
  • Character set diversity — lowercase, uppercase, digits, symbols
  • Common patterns — dictionary words, keyboard sequences, repeated characters
  • Entropy bits — the mathematical measure of how hard it is to guess

The entropy score is the most honest measure. A 128-bit entropy password would take longer than the age of the universe to brute force at current computing speeds.

"password"          → Entropy: ~11 bits  ❌ Terrible
"P@ssw0rd"          → Entropy: ~18 bits  ❌ Still terrible (pattern)
"correct-horse-bat" → Entropy: ~44 bits  ⚠ Moderate (dictionary words)
"Kx9#mP2$vL7nQw"   → Entropy: ~87 bits  ✅ Strong
"mQ3$kX9#nP7&vL2@" → Entropy: ~104 bits ✅ Very strong

3. AES-256 Encryption: Protect Text with Military-Grade Encryption

Need to store a secret note, encrypt a config value, or send sensitive text through an insecure channel? Our AES Encrypt / Decrypt tool uses AES-256-GCM — the same cipher used by banks, governments, and end-to-end encrypted messaging apps.

How AES-256-GCM Works (Simplified)

  1. Your passphrase is run through PBKDF2 with 200,000 iterations to derive a 256-bit key
  2. A random IV (initialization vector) is generated for each encryption — ensures identical plaintext encrypts differently each time
  3. The plaintext is encrypted and an authentication tag is generated — detects tampering
  4. Output is base64-encoded: IV + tag + ciphertext
Plaintext: "API_KEY=sk_live_abc123"
Passphrase: "my-strong-passphrase"
           ↓
Encrypted: "a3Fm9K2...base64...Xp7nQ=="

Security properties:

  • ✅ Zero knowledge — nothing is sent to any server
  • ✅ Authenticated encryption — decryption fails if ciphertext was tampered with
  • ✅ Salt + IV randomization — same input produces different output each time
  • ✅ 200,000 PBKDF2 iterations — resistant to passphrase brute-forcing

Practical uses:

  • Encrypt .env values before storing in a notes app
  • Share a password with a colleague via email/Slack (send the ciphertext; share the passphrase through a different channel)
  • Encrypt journal entries or personal notes
  • Store API keys in a spreadsheet in encrypted form

4. Password Hash Generator: PBKDF2 for Secure Storage

If you're building an app that stores user passwords, you must never store plaintext passwords — or weak hashes like MD5/SHA-1. Our Password Hash Generator uses PBKDF2-SHA256 to create secure password hashes.

Why PBKDF2 and not MD5/SHA-256?

Hash Time per guess (GPU) Iterations Verdict
MD5 0.001ms 1 ❌ Broken
SHA-256 0.002ms 1 ❌ Too fast
PBKDF2-SHA256 200ms+ 200,000 ✅ Appropriate
bcrypt (cost 12) 300ms+ adaptive ✅ Appropriate

The entire point of password hashing is to make each guess expensive. Fast hashes are catastrophically bad for passwords.

Hash format output:

pbkdf2$200000$<salt>$<hash>

The salt is random per-hash, meaning the same password produces a different hash each time — preventing rainbow table attacks.

5. TOTP / 2FA Generator: Test Your Authenticator Codes

Our TOTP / 2FA Generator generates time-based one-time passwords compatible with Google Authenticator, Authy, and any RFC 6238-compliant authenticator app. Enter a Base32 secret key and get the current 6-digit code with countdown.

Use cases:

  • Verify that your server's TOTP implementation produces the correct codes
  • Test a 2FA setup before deploying it to users
  • Generate codes for a secret you've already enrolled (as a backup method)

TOTP codes change every 30 seconds, are tied to the current UTC time, and are mathematically impossible to predict without the secret key.

6. Diceware Passphrases: Memorizable and Mathematically Strong

Our Diceware Password Generator creates passphrases from the EFF wordlist — the same approach used by security researchers for master passwords and disk encryption keys.

Example: correct-horse-battery-staple-voyage

Why passphrases beat random character passwords for master passwords:

Password Entropy Memorability
Kx9#mP2$ (8 chars) ~52 bits Very hard
correct-horse-battery (3 words) ~58 bits Easy
correct-horse-battery-staple (4 words) ~77 bits Moderate
correct-horse-battery-staple-voyage (5 words) ~96 bits Manageable

For a password manager master password — which you must memorize and never write down — a 5-word diceware passphrase is the best balance of security and memorability.

Security Checklist

Run through this before deploying any authentication system:

  1. ✅ Generate passwords with Password Generator — use crypto.getRandomValues()
  2. ✅ Verify password strength with Password Strength Checker — aim for 80+ entropy bits for privileged accounts
  3. ✅ Hash stored passwords with PBKDF2, bcrypt, or Argon2 — verify output format with Password Hash Generator
  4. ✅ Encrypt sensitive values at rest with AES Encrypt — use AES-256-GCM, not AES-ECB
  5. ✅ Enable 2FA and test codes with TOTP Generator
  6. ✅ For master passwords, use Diceware Generator — 5+ words minimum

The key insight: every tool on this list runs entirely in your browser. Your passwords, plaintext, and hashes never leave your device. That's not a feature — it's the minimum acceptable standard for security tooling.

Back to all articlesBrowse tools