Security Tools & Encryption Utilities

Why Encryption and Hashing Matter

Every application that stores credentials, transmits sensitive data, or calls external APIs depends on cryptographic primitives. The cost of choosing the wrong one is high: MD5-hashed passwords cracked in seconds, padding-oracle vulnerabilities exposing plaintext, or unauthenticated ciphertext silently modified in transit. Cryptography is not optional in production systems, and the difference between secure and insecure is often a single function call.

Encryption, Hashing, and Encoding Serve Different Purposes

Encryption transforms plaintext into ciphertext using a secret key. The operation is reversible — given the correct key, you recover the original data. AES-256 is the standard for symmetric encryption, where a single key is used for both encrypt and decrypt. RSA and ECC are used for asymmetric operations, where a public key encrypts and a private key decrypts. Use encryption when data must be readable again later. See AES vs RSA for a breakdown of symmetric versus asymmetric encryption.

When selecting an AES mode, prefer AES-GCM over AES-CBC. AES-GCM is an AEAD (Authenticated Encryption with Associated Data) mode: it guarantees both confidentiality and integrity in a single pass. AES-CBC provides confidentiality only and is vulnerable to padding oracle attacks without a separate message authentication code.

Hashing is a one-way transformation. A cryptographic hash function produces a fixed-size digest from arbitrary input. The same input always produces the same digest, but you cannot reverse a digest to recover the input. Use SHA-256 for checksums and data integrity. HMAC-SHA256 adds a secret key to the process, making it suitable for API signature verification and webhook authentication. Never use MD5 or SHA-1 for new security work — both have well-documented collision vulnerabilities.

Encoding (Base64, URL encoding, hex) is not a security mechanism. These schemes transform data for transport or storage compatibility and are fully reversible without any secret. Treating Base64-encoded data as obfuscated or secure is a common and expensive mistake. See Encoding and Encryption: What's the Difference? for a clear breakdown.

Password Storage Requires a Slow Hash Function

Storing passwords with a general-purpose hash (SHA-256, MD5) is a critical vulnerability. These algorithms are designed to be fast — an attacker with consumer GPUs can compute billions of SHA-256 hashes per second, making offline brute-force trivial. Password hashing algorithms are specifically designed to be slow and memory-intensive. They include a random salt per password to prevent rainbow table attacks and a configurable cost factor that can be increased as hardware improves.

• bcrypt — the most widely deployed option. Use a cost factor of 12 or higher for new systems.
• Argon2id — winner of the 2015 Password Hashing Competition. Recommended for new systems. Stronger memory hardness than bcrypt.
• PBKDF2 — FIPS 140-2 compliant. Required in some regulated environments but offers weaker memory hardness than Argon2id.

See How Password Hashing Works and the bcrypt vs Argon2 vs PBKDF2 comparison for a full breakdown.

Transport Security and API Authentication

TLS (Transport Layer Security) is the cryptographic protocol behind HTTPS. It provides confidentiality, integrity, and server authentication for data in transit. TLS 1.3 is the current standard; TLS 1.0 and 1.1 are deprecated. See What Is TLS? for a practical explanation of how the handshake works and what it protects against.

For API authentication and message integrity, HMAC verifies that a request originated from the holder of a shared secret and was not altered in transit. HMAC-SHA256 is used in webhook signature verification, JWT signing (HS256 algorithm), and AWS Signature Version 4. Use HMAC when you need integrity with a shared secret; use asymmetric signatures (RSA-PSS, ECDSA) when you need non-repudiation.