Why does SHA-224 exist?

NIST 2004 design for 112-bit security strength compliance — matching 3DES key derivation. Mostly used in older federal specs.

Is WebCrypto support universal?

Yes — Chrome 37+, Firefox 34+, Safari 11+. Universal in 2026.

Keyed hash combining secret key with SHA-384. Used in JWT (HS384) and AWS Signature V4 for high-assurance APIs.

Standard JWT (JWS) is signed but not encrypted — anyone with the token can decode the payload. JWE is the encrypted variant, less common. Don't put secrets in JWT claims.

Why does my page show " instead of double-quote?

Double-encoding. The quote was encoded to ", then & was encoded to &. Decode twice to recover. Fix: encode at exactly one layer.

No. The encoder/decoder runs in your browser. Content is never sent to servers — safe for tokens or sensitive feed data.

How long should a strong password be in 2026?

NIST's 2024 minimum for sole-authenticator passwords is 15 characters. Practical recommendation: 20 characters of random alphanumeric+symbol for manager-stored passwords, or 6-8 word Diceware passphrases for memorised passwords. Both produce ~80+ bits of entropy, well past the practical-attack threshold.

Are passphrases really stronger than complex passwords?

For equivalent length, no — passphrases have lower bits per character because words come from a smaller pool. But passphrases are far easier to remember at greater lengths, so they're stronger in practice. A memorised 8-word Diceware passphrase (~77 bits) is far stronger than a memorised 8-character complex password (~52 bits) because users can actually retain it.

Does the password generator work offline?

Yes, after first page load. The generator uses your browser's Web Crypto API — no server calls, no network requests, no telemetry. Once the page is open, you can disconnect from the internet and continue generating passwords. This matters for high-security workflows.

Should I use uppercase, digits, and symbols, or just lowercase?

For a manager-stored password use the full character set — no cost to typing it and more entropy per character. For a passphrase you'll type or read aloud, lowercase + word separators is fine: a 6-word lowercase passphrase has more entropy than a 12-character mixed-case password and is easier to enter correctly.

What does 'ambiguous characters' mean and should I exclude them?

Ambiguous characters are 0 (zero), O (uppercase O), 1 (one), l (lowercase L), and I (uppercase i) — visually similar in many fonts. Exclude them when you'll read or type the password aloud. Don't exclude for manager-stored passwords — each excluded character reduces entropy slightly.

Is my generated password sent anywhere?

No. Every operation runs in your browser using the Web Crypto API. The password is generated locally, displayed locally, and copied locally. There's no server-side processing — no code path that could transmit it. Verify by opening browser DevTools Network tab and watching for any request when you regenerate.

Is SHA-256 still secure in 2026?

Yes. No practical collision attack has been demonstrated, and SHA-256 remains the recommended default by NIST, IETF, and OWASP. Theoretical quantum attacks via Grover's algorithm reduce effective security from 128 bits to 85 bits, still well above the practical-attack threshold.

Can someone reverse a SHA-256 hash to recover the original input?

Not in any meaningful sense. SHA-256 is one-way with no decryption operation. For short guessable inputs like common passwords, rainbow tables can recover the input. For unique high-entropy inputs like random API keys or file contents over a few KB, reversing is computationally infeasible.

How long does SHA-256 take to compute on a large file?

Modern CPUs hash at 300-500 MB/sec per core for SHA-256. A 1 GB file takes 2-3 seconds; a 10 GB file takes 20-30 seconds. Browser tools using Web Crypto API match this performance. Command-line tools are usually faster for files over a few GB because they stream rather than load into memory.

What's the difference between SHA-256 and SHA-2?

SHA-2 is a NIST-standardized family of hash functions. SHA-256 is one specific member producing a 256-bit output. Other members include SHA-224, SHA-384, and SHA-512. When people say SHA-2 they usually mean SHA-256 because it's the most widely deployed variant.

Does the same input always produce the same SHA-256 hash?

Yes, on every device and in every programming language. SHA-256 is deterministic by definition. If your hash differs from a reference value, the cause is the input — most commonly trailing whitespace, encoding differences, or line-ending conversion.

Should I use SHA-256 or HMAC-SHA-256 for signing?

HMAC-SHA-256 for any signing use case. Raw SHA-256 is vulnerable to length-extension attacks where an attacker appends data to a signed message and produces a valid hash for the new content. HMAC wraps the hash function with a keyed construction that immunises against this. JWT's HS256 is HMAC-SHA-256 specifically for this reason.

Tag: Security

SHA-512 Hash Generator: Compute 512-bit Digests [2026]

TL;DR: SHA-512 produces a 512-bit (64-byte / 128 hex character) cryptographic hash from any input. It’s the strongest member of the SHA-2 family — 128-bit collision resistance, used for high-assurance file checksums, code-signing, password derivation (with bcrypt/argon2 wrappers), and forensic integrity verification. Our free SHA-512 hash generator uses the browser’s native SubtleCrypto API — same engine browsers use for HTTPS — and runs entirely on your device.

SHA-512 is the largest of the SHA-2 family. It produces a 512-bit digest twice the size of SHA-256, with corresponding security against collision attacks. For most checksum use cases SHA-256 is enough; SHA-512 wins where you need extra margin (long-lived archive integrity, code-signing certificates valid for 5+ years, forensic chain-of-custody hashes) or where the platform standard mandates it (Git uses SHA-1 today but is migrating to SHA-256; some EU government systems specify SHA-512). On 64-bit hardware SHA-512 is actually faster than SHA-256 — it processes 8-byte blocks natively where SHA-256 processes 4-byte blocks.

Our SHA-512 hash generator runs the browser’s native SubtleCrypto.digest('SHA-512', ...) implementation — the same code path that handles HTTPS certificate verification — and never uploads your input. Paste text or drop a file, and the hex digest appears instantly. This guide covers SHA-512 vs SHA-256 vs SHA-3, when each is the right pick, and the gotchas with binary-vs-text input encoding.

SHA family at a glance

Algorithm	Output size	Collision security	Status
MD5	128 bits	Broken (collisions trivial)	Checksums only, never security
SHA-1	160 bits	Broken (SHAttered, 2017)	Legacy systems, Git (migrating)
SHA-224	224 bits	112-bit security	FIPS-compliant short hash
SHA-256	256 bits	128-bit security	De facto standard (TLS, Bitcoin, Git plan)
SHA-384	384 bits	192-bit security	SHA-512 truncated, used in PKI
SHA-512	512 bits	256-bit security	High-assurance, faster on 64-bit
SHA-3 (Keccak)	224–512 bits	Independent design, 128–256-bit	Backup if SHA-2 ever weakens

When to pick SHA-512 specifically

SHA-256 is the default for almost every new system. SHA-512 makes sense when:

Long-lived archives. A digest you’ll verify in 20 years benefits from extra security margin. Government archives, legal-record systems, and long-term forensic chains of custody specify SHA-512.
64-bit hardware. SHA-512 is 30–50% faster than SHA-256 on modern x86_64 CPUs because it processes 8-byte blocks natively. On 32-bit ARM (rare in 2026) the situation reverses — SHA-256 wins.
HMAC for sensitive material. HMAC-SHA-512 is preferred over HMAC-SHA-256 for high-value secrets like signing keys for code release.
Compliance mandates. Some EU government systems (BSI, ANSSI) specify SHA-512 minimum; some financial standards align with that.
Password-key derivation. PBKDF2 / Argon2 / bcrypt all support SHA-512 as the inner hash. Doesn’t make the password significantly stronger, but is sometimes specified by compliance frameworks.

For everyday use — verify a download, hash a config file, generate a deterministic ID — SHA-256 is faster to compute and the 256-bit security is enough.

How to compute SHA-512 in your browser

Open the SHA-512 generator
Type or paste text in the input — the digest appears live as you type
Or drop a file — the digest is computed by streaming the bytes through SubtleCrypto, no upload
Click Copy for the lowercase hex digest, or toggle UPPERCASE
For HMAC mode, click HMAC, paste a key, and the HMAC-SHA-512 is computed

Code: how to compute SHA-512 in JavaScript

Browsers and Node.js 19+ both expose the WebCrypto API. The same code works everywhere:

async function sha512(text) {
  const buffer = new TextEncoder().encode(text);
  const hash = await crypto.subtle.digest("SHA-512", buffer);
  return [...new Uint8Array(hash)]
    .map((b) => b.toString(16).padStart(2, "0"))
    .join("");
}

// sha512("hello world") returns
// "309ecc489c12d6eb4cc40f50c902f2b4d0ed77ee511a7c7a9bcd3ca86d4cd86f
//  989dd35bc5ff499670da34255b45b0cfd830e81f605dcf7dc5542e93ae9cd76f"

Common gotchas

Encoding matters before you hash. SHA-512 is a function over bytes, not characters. "café" in UTF-8 is 5 bytes; in Latin-1 it’s 4. The two produce different hashes. Always use UTF-8 for text input — the standard everywhere except some legacy Windows pipelines.
SHA-512 is not a password storage algorithm. Never store passwords as plain SHA-512 — even with a salt, the algorithm is too fast and vulnerable to GPU brute-force. Use bcrypt, scrypt, or argon2 for password storage; those use SHA internally as a building block but add deliberate slowness.
Trailing whitespace and line endings change the hash. A file ending with \n hashes differently from the same file ending without it. CRLF (\r\n) vs LF (\n) is a common cause of “the hashes don’t match” between Windows and macOS — normalise line endings before hashing.
UTF-8 BOM. A file saved as UTF-8 with BOM has an extra 3 bytes (EF BB BF) at the start. Same content, different hash. Strip BOMs if you compare hashes between platforms.
SHA-384 is SHA-512 truncated. SHA-384 uses the same algorithm internally, then truncates to 384 bits (96 hex chars). Both are valid SHA-2 hashes; pick based on output size needs.
Some legacy tools default to wrong hex case. Hex digests are case-insensitive when comparing, but tools default to lowercase or uppercase inconsistently. 309ecc... and 309ECC... represent the same hash.

When NOT to use SHA-512

For a password store, use bcrypt / scrypt / argon2 — those are designed to be deliberately slow against brute-force; SHA-512 alone is too fast. For non-cryptographic use cases (database keying, fingerprinting non-sensitive content), use a simpler hash like xxHash or FNV — they’re faster and don’t burn CPU on cryptographic strength you don’t need. For verifying that a small string hasn’t changed in a public ledger, SHA-256 is enough — half the bytes for the same practical security. For random-looking IDs in a URL, use a UUID or a random number; hashes are deterministic, which usually isn’t what you want for IDs.

Frequently asked questions

Is SHA-512 stronger than SHA-256?

Yes — SHA-512 has 256-bit collision resistance vs SHA-256’s 128-bit. Both are far beyond what’s brute-forceable today. For most uses 128-bit security is more than enough; SHA-512 matters for long-lived archives and high-assurance contexts.

Can SHA-512 be reversed?

No. SHA-512 is a one-way function. Given a hash, there’s no method short of guessing every possible input that would recover the original. For “hash-cracking” attacks against weak inputs (short passwords, dictionary words), the attacker doesn’t reverse the hash — they hash candidate inputs until one matches. The defence is using slow algorithms (bcrypt) for passwords.

Why is SHA-512 sometimes faster than SHA-256?

SHA-512 processes 1024-bit blocks of data using 64-bit words. On a 64-bit CPU each word fits in a single register, giving SHA-512 a 30–50% throughput advantage over SHA-256 on modern x86_64. On 32-bit hardware (rare in 2026) the trade reverses.

Should I use SHA-512 for password hashing?

No, not directly. Use bcrypt, scrypt, or argon2id — those are deliberately slow and resistant to GPU brute-force. SHA-512 alone is millions of times too fast to use as a password store. Some compliance frameworks specify SHA-512 inside an HMAC or PBKDF2 wrapper; that’s fine, but plain SHA-512 of a password is a known anti-pattern.

Is my input uploaded?

No. The generator runs the browser’s native SubtleCrypto.digest API. Text and files are processed locally — never sent to our servers. You can verify with DevTools’ Network tab.

What’s the file size limit?

Effectively your browser’s available memory. Files up to several GB hash via streaming on desktop browsers; mobile is more limited. Hashing a 1 GB file takes 5–15 seconds on a recent laptop.

Related tools and guides

May 11, 2026

SHA-224 Hash Generator: 224-bit FIPS Digest [2026]

TL;DR: SHA-224 produces a 224-bit (28-byte / 56 hex character) hash. It’s SHA-256 with a different starting state and a truncated 224-bit output. Designed by NIST in 2004 to provide FIPS-compliant 112-bit collision resistance — useful when you need a SHA-2-family hash but want shorter output than SHA-256. Real-world use: 3DES key derivation, NIST SP 800-57 short-hash specifications, and storage-constrained contexts. Our free SHA-224 hash generator uses the browser’s native WebCrypto API.

SHA-224 is the rarely-used cousin of SHA-256. It exists for one specific reason: NIST needed a SHA-2 family member that matched the output size of legacy 112-bit security applications (mainly 3DES key derivation and some FIPS-mandated short-hash specifications). For most modern use, SHA-256 is the default — same algorithm internally, longer output, more security margin. But if you’re maintaining a system that specifies SHA-224 for compliance, or doing 3DES key derivation per FIPS 800-57, this is the algorithm.

Our SHA-224 hash generator uses the browser’s native SubtleCrypto.digest('SHA-224', ...) implementation. Paste text or drop a file — runs entirely on your device. This guide covers SHA-224’s design, when it’s the right pick over SHA-256, and the gotchas with internal state differences.

SHA-224 vs SHA-256 — when each wins

Algorithm	Output	Collision security	Use case
SHA-224	224 bits (56 hex)	112-bit	3DES key derivation, FIPS short-hash mandates
SHA-256	256 bits (64 hex)	128-bit	Default for new systems
SHA-384	384 bits (96 hex)	192-bit	PKI certificates, high-assurance signatures
SHA-512	512 bits (128 hex)	256-bit	Long-lived archives, when SHA-256 isn’t enough

How SHA-224 differs from SHA-256

Both algorithms run the same compression function on 512-bit blocks. The only differences:

Initial hash value (IV): SHA-224 uses a different 8-word starting state. This means truncating the SHA-256 output to 224 bits is not the same as computing SHA-224 — they produce different results.
Output length: SHA-224 returns 7 of the 8 final words (28 bytes); SHA-256 returns all 8 (32 bytes).
Performance: identical — the work is the same, only the IV and truncation differ.

The “different IV” is critical. If you’re verifying a SHA-224 hash, you must compute SHA-224 specifically, not SHA-256-then-truncate. Get this wrong and your hashes never match.

When you’d actually use SHA-224

SHA-224 is uncommon in 2026. Real use cases:

FIPS 800-57 compliance: NIST’s key-management standard sometimes specifies 112-bit security strength, and SHA-224 is the matching SHA-2 family member.
3DES key derivation: 3DES uses 168-bit keys with 112-bit security; SHA-224 produces a hash matching that strength. (3DES itself was deprecated by NIST in 2017 — most systems have moved to AES.)
Federal procurement specs: some old US government RFP / SOW documents specify SHA-224 explicitly. Match the spec; don’t substitute SHA-256.
Bandwidth-constrained protocols: 56 hex characters vs 64 saves a few bytes per message in tight protocols (extremely rare in 2026).

For new code without a specific compliance reason, use SHA-256. The 8 extra hex characters cost nothing and you get 16 more bits of security margin.

How to compute SHA-224 in your browser

Open the SHA-224 generator
Type or paste text — the digest appears live as you type
Or drop a file — bytes are streamed through the browser’s WebCrypto API
Click Copy. Toggle UPPERCASE or lowercase hex output
For HMAC-SHA-224, enter a key in HMAC mode

Code: SHA-224 in JavaScript

async function sha224(text) {
  const buffer = new TextEncoder().encode(text);
  const hash = await crypto.subtle.digest("SHA-224", buffer);
  return [...new Uint8Array(hash)]
    .map((b) => b.toString(16).padStart(2, "0"))
    .join("");
}

// sha224("hello world") returns
// "2f05477fc24bb4faefd86517156daccfa3e6488427d1f0f217f04b6e"

WebCrypto support: Chrome 37+, Firefox 34+, Safari 11+ — universal in 2026. SHA-224 is part of the WebCrypto digest algorithm set since the spec finalised.

Common gotchas

Don’t confuse SHA-224 with truncated SHA-256. SHA-224 has a different IV. sha256(x).substring(0, 56) !== sha224(x). Compute SHA-224 specifically.
UTF-8 encoding before hashing. Same input, different encoding, different hash. Always use UTF-8.
Don’t use for password storage. SHA-224, like other SHA-2 members, is too fast for password storage. Use bcrypt / argon2id with passwords.
Some libraries don’t ship SHA-224. Older crypto libraries (PHP’s hash() pre-7.0, some C libraries) don’t include SHA-224. Verify your destination supports it before specifying.
Length-extension attacks affect SHA-224 too. Like SHA-256, vulnerable to length extension if used as sha224(secret || data). Use HMAC-SHA-224 instead.
If you can choose, choose SHA-256. Only use SHA-224 if a spec mandates it. The 8 extra hex characters are free.

When NOT to use SHA-224

For new systems without compliance requirements: use SHA-256. For password storage: never SHA-224 (or any plain SHA); use bcrypt / scrypt / argon2id. For TLS / X.509 certificates: SHA-256 minimum (SHA-224 isn’t supported by most CAs). For long-lived archives: SHA-512 for the extra security margin. SHA-224 is a niche tool — match it to a specific spec, otherwise pick a sibling.

Frequently asked questions

Is SHA-224 just truncated SHA-256?

No. They share the same compression function but use different initial hash values (IVs). Truncating SHA-256 to 56 hex characters does NOT produce the SHA-224 hash. Compute SHA-224 specifically using the WebCrypto API or a dedicated library.

Should I use SHA-224 instead of SHA-256?

No, unless a spec mandates it. SHA-224 saves 8 hex characters in output but provides 16 fewer bits of collision security. The bandwidth saving is negligible in 2026; SHA-256 is the safer default for new systems.

Why does SHA-224 even exist?

NIST designed it in 2004 for compliance with key-management standards that specify 112-bit security strength — matching legacy systems like 3DES key derivation. Most legacy systems have moved on; SHA-224 is now mostly used in older federal procurement specs.

Is the WebCrypto API support universal?

Yes — SHA-224 has been part of WebCrypto since the spec finalised in 2014. Chrome 37+, Firefox 34+, Safari 11+, Edge 12+. Universal in 2026.

Is my input uploaded?

No. The generator runs the browser’s WebCrypto API. Text and files are processed locally — never sent to our servers.

Can SHA-224 be reversed?

No. Like all SHA-2 hashes, SHA-224 is a one-way function. Given a hash, there’s no method short of brute force to recover the input. Cracking weak inputs (short passwords) involves trying candidates until one matches — defence is using slow algorithms (bcrypt) for passwords.

Related tools and guides

May 5, 2026

SHA-384 Hash Generator: 384-bit Digest [2026]

TL;DR: SHA-384 produces a 384-bit (48-byte / 96 hex character) hash. It’s SHA-512 with a different starting state and a truncated 384-bit output. 192-bit collision resistance — overkill for most uses, but mandated in NSA Suite B / CNSA-compliant cryptography, TLS 1.3 cipher suites, and US government high-assurance systems. Faster than SHA-256 on 64-bit hardware. Our free SHA-384 hash generator uses the browser’s native WebCrypto API.

SHA-384 occupies the same family-niche as SHA-224: a SHA-2 hash with truncated output for compliance reasons. Where SHA-224 is the truncated SHA-256 for legacy 112-bit security, SHA-384 is the truncated SHA-512 for high-security applications that don’t need a full 512-bit hash but want more than SHA-256’s 128-bit collision resistance. Real-world use is concentrated in government and high-assurance crypto:

TLS 1.3: the TLS_AES_256_GCM_SHA384 cipher suite uses SHA-384 in HKDF for key derivation.
NSA Suite B / CNSA: the US National Security Agency’s commercial cryptography spec requires SHA-384 (or SHA-512) for top-secret data classifications.
PKI / X.509 certificates: ECDSA signatures over P-384 curves naturally pair with SHA-384.
Long-lived archive integrity: the extra 64 bits over SHA-256 add comfortable security margin.

Our SHA-384 hash generator uses the browser’s native SubtleCrypto.digest('SHA-384', ...) API — same code path that handles HTTPS certificate verification — and runs entirely on your device. This guide covers when SHA-384 is the right pick, the performance characteristics, and the gotchas with truncation.

SHA-2 family at a glance

Algorithm	Output	Collision security	Performance
SHA-224	224 bits	112-bit	Same as SHA-256
SHA-256	256 bits	128-bit	Slower on 64-bit
SHA-384	384 bits	192-bit	Same as SHA-512 (faster on 64-bit)
SHA-512	512 bits	256-bit	~30% faster than SHA-256 on 64-bit

Why SHA-384 is faster than SHA-256 on modern hardware

SHA-384 uses the SHA-512 compression function — operating on 64-bit words and 1024-bit blocks — and just truncates the output. On a 64-bit CPU each word fits in a single register. SHA-256, despite producing a smaller output, runs on 32-bit words requiring more operations per byte hashed.

Benchmark on a 2024 laptop:

SHA-256: ~600 MB/s
SHA-384: ~880 MB/s (≈47% faster)
SHA-512: ~880 MB/s (same internal work as SHA-384)

Counter-intuitively, picking SHA-384 over SHA-256 for new code can mean both more security and better performance on 64-bit hardware. The trade-off is 32 extra hex characters in output.

When you’d actually use SHA-384

NSA Suite B / CNSA-compliant systems. US government top-secret classification mandates SHA-384 minimum. If you’re in defence / intelligence contracting, this is the spec.
TLS 1.3 with AES-256-GCM. The TLS_AES_256_GCM_SHA384 cipher suite is one of TLS 1.3’s three default suites. Browsers negotiate it automatically; you don’t pick it manually.
PKI signatures with P-384 curves. ECDSA on the NIST P-384 curve naturally pairs with SHA-384 for matching security level.
Compliance frameworks specifying 192-bit security. Some financial regulations (PCI DSS in select profiles), ANSSI guidelines, BSI specs.
Long-lived archive integrity. The 64 extra bits over SHA-256 add margin for hashes verified decades from now.

For most everyday checksums and integrity verification, SHA-256 is the right default — universally supported, established, well-tested. SHA-384 is for compliance-driven cases.

How to compute SHA-384 in your browser

Open the SHA-384 generator
Type or paste text — the digest appears live
Or drop a file — bytes streamed through WebCrypto, no upload
Click Copy. Toggle UPPERCASE / lowercase output
For HMAC-SHA-384, click HMAC mode and paste a key

Common gotchas

SHA-384 is not truncated SHA-512. Like SHA-224 / SHA-256, the truncated variants use different initial hash values. sha512(x).substring(0, 96) !== sha384(x). Always compute SHA-384 specifically.
UTF-8 encoding before hashing. Same input, different encoding, different hash. Use UTF-8.
Don’t use for password storage. SHA-384 is too fast — use bcrypt / scrypt / argon2id for passwords.
HMAC-SHA-384 has different block size. SHA-384 / SHA-512 use 1024-bit (128-byte) blocks; SHA-256 uses 512-bit (64-byte) blocks. HMAC implementations need to use the matching block size — common bug in hand-rolled HMAC code.
Length-extension affects bare SHA-384 too. Use HMAC, not sha384(secret || data).
Some old systems don’t ship SHA-384. Older PHP, older Java, very old C libraries may lack SHA-384. Check support before specifying.

When NOT to use SHA-384

For everyday integrity checks (file checksums, deterministic IDs, message integrity in non-compliance contexts), SHA-256 is the right default — universally supported, smaller output, well-known. For password storage: use bcrypt / scrypt / argon2id; never plain SHA-384. For the longest possible security margin in archive integrity: SHA-512 (full output, same algorithm internally). For TLS 1.3 cipher suite selection: don’t manually pick — let the protocol negotiate. Use SHA-384 specifically when a spec mandates it.

Frequently asked questions

Is SHA-384 stronger than SHA-256?

Yes — 192-bit collision resistance vs SHA-256’s 128-bit. Both are far beyond what’s brute-forceable today; SHA-384 matters when compliance frameworks demand the higher security level (NSA Suite B / CNSA, certain financial standards).

Why is SHA-384 sometimes faster than SHA-256?

SHA-384 uses the SHA-512 compression function, which operates on 64-bit words. On 64-bit CPUs each word fits a single register, giving SHA-384 / SHA-512 a 30–50% throughput advantage over SHA-256. On 32-bit hardware (rare in 2026) the trade reverses.

Is SHA-384 just truncated SHA-512?

Same compression function, different initial hash values (IVs). Truncating SHA-512 to 96 hex characters does NOT produce the SHA-384 hash. Always compute SHA-384 specifically.

Should I use SHA-384 or SHA-512 for new code?

Without a specific compliance reason, SHA-256 is the default. If you need 192-bit collision resistance, SHA-384. If you need 256-bit, SHA-512. Don’t pick SHA-384 over SHA-512 for marginal output-size reasons — both run the same internal work.

Is my input uploaded?

No. The generator runs the browser’s native SubtleCrypto.digest API. Text and files are processed locally — never sent to our servers.

What’s HMAC-SHA-384 and when is it used?

HMAC-SHA-384 is a keyed hash combining a secret key with the SHA-384 algorithm. Used for message authentication where you need to verify both data integrity and that the sender knew the key. Common in JWT signatures (JOSE algorithm HS384) and AWS Signature Version 4 for high-assurance API calls.

Related tools and guides

May 5, 2026

JWT Decoder Online: Inspect Tokens in Browser [2026]

TL;DR: A JWT decoder splits a JSON Web Token into its three Base64-URL-encoded parts — header, payload, signature — and renders them as readable JSON. Use it to inspect what an API token actually claims (user ID, expiry, scopes), debug auth issues, or build new tokens. Our free JWT encoder/decoder handles HS256 and RS256, verifies signatures locally, and never transmits the token.

JWT (JSON Web Token) is the auth standard for modern APIs. Every OAuth flow, every Auth0 / Cognito / Firebase Auth integration, every internal microservice that needs to pass identity around — all of them use JWTs. The token looks like gibberish: eyJhbGciOi…. Decoded, it’s three small JSON objects that say “this user, signed by this issuer, valid until this time”. Decoding is non-secret — anyone with the token can read its contents. Verifying the signature requires the secret. Both operations are routine for backend developers and frequently need a quick lookup tool.

Our JWT encoder/decoder takes any JWT string and renders the header + payload as pretty-printed JSON. Optionally paste the secret to verify the signature, or build a fresh token from custom JSON. Everything runs in your browser via the Web Crypto API; the token and secret never transmit. This guide explains JWT structure, the differences between HS256 and RS256, and the security gotchas that have produced real-world authentication failures.

JWT structure — three Base64-URL parts joined by dots

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUiLCJpYXQiOjE2NjcwMDAwMDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
   ↑ header                ↑ payload                                                        ↑ signature
   {"alg":"HS256"}          {"sub":"1234567890","name":"Jane","iat":1667000000}

Header: the algorithm used (HS256, RS256, etc.) and the token type. Always JSON.
Payload: the claims — user ID, scopes, issued-at, expiry, custom application data. The actual identity assertion.
Signature: a cryptographic signature of header.payload using either a shared secret (HS256) or the issuer’s private key (RS256). This is what makes the token tamper-evident.

Standard claims every JWT might include

Claim	Meaning
`sub`	Subject — usually the user ID
`iss`	Issuer — who created the token
`aud`	Audience — who the token is for
`exp`	Expiry — Unix timestamp after which the token is invalid
`iat`	Issued-at — Unix timestamp of token creation
`nbf`	Not-before — token isn’t valid until this time
`jti`	JWT ID — unique identifier for revocation lists

Beyond the standard claims, applications add custom claims (scopes, roles, email, anything else). Decoding a token reveals all claims; this is why JWTs should never carry secrets.

HS256 vs RS256 — choosing the right algorithm

HS256 (HMAC-SHA-256): uses a shared secret known to both signer and verifier. Simpler, faster, smaller signatures. Right when one service signs and the same service verifies. Wrong when verification needs to happen on multiple machines without sharing a secret.
RS256 (RSA + SHA-256): uses asymmetric crypto. Issuer holds a private key; verifiers use the public key. Right for any “sign here, verify everywhere” pattern (Auth0, Firebase Auth, Google OAuth all use RS256). The public key can be distributed freely.
ES256 (ECDSA): elliptic-curve variant of RS256. Smaller signatures, faster signing, equivalent security. Increasingly common in IoT and mobile contexts.

The rule of thumb: HS256 for monolithic apps where one service signs and verifies. RS256 for anything multi-service, distributed, or where third parties need to verify.

How to use the browser JWT decoder

Open the JWT encoder/decoder
Paste your JWT into the input. Header and payload appear as pretty-printed JSON instantly
Optional: paste the signing secret (HS256) or public key (RS256) to verify the signature. Result shows ✓ valid or ✗ invalid
Switch to Encode mode to build a new token from custom JSON
Copy any decoded part with the per-section copy buttons

Real-world JWT security mistakes

The “alg: none” attack. Some libraries trust the algorithm specified in the header. Setting it to “none” tells the library to skip signature verification. Always specify the expected algorithm at verification time.
Confusing HS256 with RS256. If a service expects RS256 but accepts HS256 with the public key as the secret, attackers can forge tokens. Always pin the algorithm.
Leaving secrets in JWT payloads. JWTs are encoded, not encrypted. Anyone with the token reads the payload. Never put passwords, API keys, or PII in claims.
Long expiry times. A 90-day JWT can’t be revoked without maintaining a denylist. Keep exp short (15-60 minutes) and use refresh tokens for sustained sessions.
Using HS256 with weak secrets. A 16-byte secret is brute-forceable. Use 32+ bytes (256 bits) of randomness for HS256 secrets.

Decoding JWT in code

// Node.js (jsonwebtoken — most common)
import jwt from "jsonwebtoken";

const decoded = jwt.decode(token);                 // unverified
const verified = jwt.verify(token, secret);         // throws if invalid

// Browser (jose — modern, no deps)
import * as jose from "jose";

const decoded = jose.decodeJwt(token);
const { payload } = await jose.jwtVerify(token, await jose.importJWK(jwk));

// Python (PyJWT)
import jwt
decoded = jwt.decode(token, secret, algorithms=["HS256"])

// Manual decode (browser, no library)
const [header, payload] = token.split(".").slice(0, 2)
  .map(seg => JSON.parse(atob(seg.replace(/-/g, "+").replace(/_/g, "/"))));

When NOT to use JWT

For session storage. Sessions you need to revoke instantly are better as opaque session IDs in a database. JWT revocation requires a denylist that defeats the stateless benefit.
For sensitive payload data. Anyone with the token reads the claims. Store sensitive data server-side and reference by ID in the JWT instead.
For very long expiry. If your tokens last weeks, you’ve reinvented session storage with extra steps. Use refresh tokens with short-lived JWTs.
When you need cookie-based CSRF protection. JWTs in localStorage are vulnerable to XSS; in cookies they’re vulnerable to CSRF. Each pattern has trade-offs to design around.

Frequently asked questions

Is JWT encrypted?

Standard JWT (JWS) is signed but not encrypted — anyone with the token can decode and read the payload. JWE (JSON Web Encryption) is the encrypted variant, much less common. Don’t put secrets in JWT claims.

Can I decode a JWT without the secret?

Yes. The header and payload are Base64-URL encoded — anyone can decode them. The secret is only needed to verify the signature (prove the token wasn’t forged) or to create a new token. Decoding without verification is fine for inspection but never trust an unverified JWT in production.

How long should a JWT expire?

15-60 minutes for access tokens. Pair with a refresh token (longer expiry, revocable, server-side stored) for sustained sessions. Short access-token expiry limits damage if a token is leaked.

Is my JWT sent to your server when I decode it?

No. Decoding happens entirely in your browser via the Web Crypto API and JavaScript Base64 decoding. The token, secret (if you paste one), and decoded output all stay on your device. Verify in DevTools Network tab — no requests during decoding.

What’s the difference between HS256 and RS256?

HS256 uses a shared secret known to signer and verifier (symmetric). RS256 uses an RSA key pair where the issuer holds the private key and verifiers use the public key (asymmetric). Use HS256 for one-service contexts, RS256 for distributed/multi-service auth.

Can I edit a JWT and re-sign it?

Yes — switch to Encode mode, edit the header or payload JSON, paste the secret, click Sign. The output is a new valid JWT. Useful for testing token-validation logic with custom payloads.

Related tools and guides

May 4, 2026

HTML Entity Decoder & Encoder: Escape HTML Safely [2026]

TL;DR: An HTML entity decoder turns escape sequences like <, &, ', and " back into the original characters (<, &, ', "). The encoder does the reverse — replacing unsafe HTML characters with named or numeric entities so the browser renders them as text instead of parsing them as markup. Use our free HTML encoder/decoder to escape user input safely or recover content from a feed that arrived double-encoded.

Every web developer eventually pastes a string from a CMS export, an XML feed, or a database column and sees &quot;Hello&quot; where they expected "Hello". That’s an HTML entity round-trip gone wrong. HTML escapes a small set of characters that have structural meaning — <, >, &, ", ' — into named entities (<, >, &, ", ') so they appear as text rather than triggering tag parsing. Get the encoding right and your user-supplied content is rendered safely; get it wrong and you have either visible escape sequences or, worse, an XSS vulnerability.

Our HTML encoder and decoder handles named entities (é, ©, –), numeric decimal entities (é, ©), numeric hex entities (é), and the full HTML5 named-entity table (2,231 named entities). It runs entirely in your browser. This guide covers when to encode, the difference between named and numeric entities, double-encoding, and the XSS edge cases naive encoders miss.

The 5 characters you must always escape — and 2 you should

Character	Named entity	Numeric (decimal)	Required in
`&`	`&`	`&`	Everywhere — encode first or you’ll double-encode
`<`	`<`	`<`	Text content — prevents tag injection
`>`	`>`	`>`	Text content (defensive — not strictly required)
`"`	`"`	`"`	Inside double-quoted attributes
`'`	`'`	`'`	Inside single-quoted attributes (note: `'` is HTML5 only)
`©`	`©`	`©`	Optional — only if not serving as UTF-8
`—` (em dash)	`—`	`—`	Optional — only if not serving as UTF-8

Named vs numeric vs hex entities

You’ll see HTML entities in three forms in the wild. Named entities like © are readable but only work for the ~2,231 characters that have an HTML5 name. Numeric decimal entities like © reference the Unicode code point in base 10. Hex entities like © reference the same code point in base 16. All three render identically.

Use numeric when you want maximum compatibility — every Unicode code point can be expressed numerically; not every character has a named entity.
Use hex when copying from a Unicode reference where code points are listed in hex (U+00A9 → ©). Hex is also more compact for high-codepoint characters.

Important: ' for the single quote is HTML5-only. In HTML4 and XHTML 1.0 it’s not in the named-entity table — emails and old browsers may render it literally as '. Use ' for maximum compatibility, especially in HTML emails.

How to encode or decode HTML in your browser

Open the HTML encoder/decoder
Paste the string in the input box
Pick Encode (text → entities) or Decode (entities → text)
For encode, optionally toggle Numeric only to skip named entities (safer for emails and legacy clients)
Click Copy to copy the output, or Decode again if the result still contains entity sequences (double-encoded data)

XSS-safe context-aware encoding (what naive encoders miss)

HTML entity encoding is not a one-size-fits-all defence against XSS. The right escape depends on where in the page you’re inserting user data. The OWASP-recommended split:

HTML body context: escape <, >, &. Inserting user text between tags.
HTML attribute context: additionally escape " (or ' if your attribute uses single quotes). Always quote your attributes; unquoted attributes are an injection vector.
JavaScript context: HTML entity escaping does not protect you here. Use JavaScript string escaping (< for <) or, better, JSON.stringify.
CSS context: use CSS hex escapes (\3C for <), not HTML entities.
URL context: use URL encoding (%3C for <), not HTML entities.

Our encoder produces HTML-context escapes by default with an option for attribute-context (more aggressive). For JavaScript or URL contexts, use the URL encoder or escape inside JSON.

Common gotchas

Encode the ampersand first. If you encode < to < first, then encode & to &, you’ll double-encode and end up with &lt;. Always replace & first, then the rest.
Double-encoded feeds. RSS feeds, MailChimp exports, and CMS APIs sometimes encode their own escape sequences again. &amp; means the original was & encoded twice. Decode twice to recover.
Non-breaking space looks like a space but isn’t.   (U+00A0) is invisible but breaks string-equality checks. If your string compare fails despite identical-looking text, replace nbsp with regular space first.
Internet Explorer recognised non-standard named entities. Avoid ' in HTML emails for IE/Outlook compatibility — use '.
Numeric entities work for any code point. Need a thumbs-up emoji? 👍 works everywhere; the named entity does not exist.
UTF-8 makes most named entities unnecessary. If your page is served as charset=utf-8 (which it should be in 2026), you only need to escape &, <, >, ", and '. Don’t encode ©, —, é — just write them directly.

When NOT to use this tool

For server-side templating, use your framework’s auto-escaping: React ({value} escapes by default), Vue, Handlebars, Jinja2, Thymeleaf, ERB, Liquid all escape HTML automatically. Only reach for an external encoder when you have a stuck string from a feed, log, or copy-paste of an export. For programmatic encoding in client-side JS, element.textContent = userInput is safer than building an HTML string and encoding it — the DOM API never confuses content with markup.

Frequently asked questions

What’s the difference between HTML entity encoding and URL encoding?

Different places, different rules. HTML entity encoding makes characters safe to include inside an HTML document (& → &). URL encoding (percent-encoding) makes characters safe to put inside a URL (& → %26). They are not interchangeable. Use HTML for HTML, URL for URLs.

Why does my page show &quot; instead of “?

Double-encoding. The string was encoded once (" → "), then encoded again, so & became & and the result is &quot;. Decode twice to recover. Long-term fix: encode at exactly one layer of your stack — typically right before output, never during storage.

Does my framework already escape HTML?

Probably yes, if you use template syntax like React’s {value}, Vue’s {{ value }}, Jinja2’s {{ value }}, or Handlebars’s {{ value }}. All escape by default. The dangerous variants — React’s dangerouslySetInnerHTML, Vue’s v-html, Jinja2’s |safe — bypass escaping. Audit those carefully.

Should I use named or numeric entities?

Numeric is more universal. Named entities (©) are readable but only ~2,231 characters have HTML5 names. Numeric entities (©) work for every Unicode code point. For HTML emails, prefer numeric — old email clients may not recognise newer named entities like '.

Is my data uploaded?

No. The encoder/decoder runs in your browser via JavaScript. Pasted content is never sent to our servers, which makes it safe for decoding tokens, signed cookies, or potentially sensitive feed data.

How many named HTML entities exist?

HTML5 defines 2,231 named character references. They cover the named entities from HTML4 plus many more — including math symbols, arrows, and Greek letters. Our decoder handles all of them. The full list is in the WHATWG HTML spec.

Related tools and guides

May 4, 2026

Strong Random Password Generator: NIST-Aligned & Secure
TL;DR: A strong random password generator uses your browser’s Web Crypto API (crypto.getRandomValues) to produce passwords from genuine OS-level entropy, not predictable Math.random(). Aim for at least 80 bits of entropy — that’s roughly 16 mixed-case alphanumeric characters or a 6-word passphrase. Our free generator does both and shows you the entropy live, so you can see exactly how strong each output is.

The fundamental rule of password security has changed quietly: NIST’s 2024 update (SP 800-63-4) prohibits forcing users to mix uppercase, lowercase, digits, and symbols. The reason is empirical. Forced complexity rules produced more predictable passwords, not stronger ones — users picked the same dozen tricks (capitalise the first letter, replace o with 0, add ! at the end) and attackers learned them years ago. The new guidance: length is what matters. A 16-character lowercase-only password has more entropy than an 8-character password using the full ASCII set.

Our strong random password generator implements this guidance. It defaults to 20 characters with the full mixed-case alphanumeric+symbol pool, computes the entropy live, and runs entirely in your browser using the Web Crypto API — your password never travels to any server. This guide explains the math behind password strength, why Math.random() is dangerous, the three modes (random, pronounceable, passphrase) and when to use each, and the storage workflow that keeps strong passwords actually usable.

Why password entropy matters more than complexity

Password strength is measured in bits of entropy. A password with N bits of entropy means an attacker needs to try up to 2^N combinations to crack it by brute force. The math is simple: each character drawn at random from a pool of P characters contributes log₂(P) bits.

Character pool Pool size Bits per character

Lowercase only (a-z) 26 4.7

Lower + upper (a-z, A-Z) 52 5.7

Lower + upper + digits 62 5.95

Lower + upper + digits + symbols ~94 6.55

Multiply bits-per-character by length to get total entropy. The threshold to remember:
- Under 40 bits: weak. Crackable in minutes-to-hours by a modern GPU farm against any common password hash.
- 40-60 bits: moderate. Survives casual attacks but falls to determined attackers within days against fast hashes (MD5, SHA-256).
- 60-80 bits: strong. Beyond practical brute force for any single attacker; survives most state-of-the-art GPU farms for years.
- 80+ bits: excellent. Requires nation-state computational resources and decades of work. NIST’s recommended floor for high-security passwords.

Character pool	Pool size	Bits per character
Lowercase only (a-z)	26	4.7
Lower + upper (a-z, A-Z)	52	5.7
Lower + upper + digits	62	5.95
Lower + upper + digits + symbols	~94	6.55

Tag: Security

SHA-512 Hash Generator: Compute 512-bit Digests [2026]

SHA family at a glance

When to pick SHA-512 specifically

How to compute SHA-512 in your browser

Code: how to compute SHA-512 in JavaScript

Common gotchas

When NOT to use SHA-512

Frequently asked questions

Is SHA-512 stronger than SHA-256?

Can SHA-512 be reversed?

Why is SHA-512 sometimes faster than SHA-256?

Should I use SHA-512 for password hashing?

Is my input uploaded?

What’s the file size limit?

Related tools and guides

SHA-224 Hash Generator: 224-bit FIPS Digest [2026]

SHA-224 vs SHA-256 — when each wins

How SHA-224 differs from SHA-256

When you’d actually use SHA-224

How to compute SHA-224 in your browser

Code: SHA-224 in JavaScript

Common gotchas

When NOT to use SHA-224

Frequently asked questions

Is SHA-224 just truncated SHA-256?

Should I use SHA-224 instead of SHA-256?

Why does SHA-224 even exist?

Is the WebCrypto API support universal?

Is my input uploaded?

Can SHA-224 be reversed?

Related tools and guides

SHA-384 Hash Generator: 384-bit Digest [2026]

SHA-2 family at a glance

Why SHA-384 is faster than SHA-256 on modern hardware

When you’d actually use SHA-384

How to compute SHA-384 in your browser

Common gotchas

When NOT to use SHA-384

Frequently asked questions

Is SHA-384 stronger than SHA-256?

Why is SHA-384 sometimes faster than SHA-256?

Is SHA-384 just truncated SHA-512?

Should I use SHA-384 or SHA-512 for new code?

Is my input uploaded?

What’s HMAC-SHA-384 and when is it used?

Related tools and guides

JWT Decoder Online: Inspect Tokens in Browser [2026]

JWT structure — three Base64-URL parts joined by dots

Standard claims every JWT might include

HS256 vs RS256 — choosing the right algorithm

How to use the browser JWT decoder

Real-world JWT security mistakes

Decoding JWT in code

When NOT to use JWT

Frequently asked questions

Is JWT encrypted?

Can I decode a JWT without the secret?

How long should a JWT expire?

Is my JWT sent to your server when I decode it?

What’s the difference between HS256 and RS256?

Can I edit a JWT and re-sign it?

Related tools and guides

HTML Entity Decoder & Encoder: Escape HTML Safely [2026]

The 5 characters you must always escape — and 2 you should

Named vs numeric vs hex entities

How to encode or decode HTML in your browser

XSS-safe context-aware encoding (what naive encoders miss)

Common gotchas

When NOT to use this tool

Frequently asked questions

What’s the difference between HTML entity encoding and URL encoding?

Why does my page show &amp;quot; instead of “?

Does my framework already escape HTML?

Should I use named or numeric entities?

Is my data uploaded?

How many named HTML entities exist?

Related tools and guides

Strong Random Password Generator: NIST-Aligned & Secure

Why password entropy matters more than complexity

Why does my page show " instead of “?