Security & Privacy
Free, browser-based online security tools for everyday cryptography, password checks, token inspection and privacy-safe developer workflows. Inputs stay in your browser, so passwords, secrets, keys and tokens are not uploaded to ZeroUtil.
I want to…
AES-256 Encrypt / Decrypt Online - Free, In-Browser
Encrypt and decrypt text with AES-128, AES-192, or AES-256 in GCM, CBC, or CTR mode. PBKDF2 key derivation, entirely in your browser.
Try freeBasic Auth Header Generator
Create HTTP Basic Authentication headers from a username and password or API token.
Try freeCSP Header Generator
Build Content-Security-Policy headers with a visual form, presets and per-directive configuration.
Try freePassword Entropy Calculator
Estimate password entropy, character pool size and crack-time ranges for online and offline attacks.
Try freePassword Generator
Generate cryptographically secure random passwords with configurable length, character types and entropy display.
Try freePassword Strength Checker
Check password strength with entropy calculation, pattern detection and common password matching.
Try freePBKDF2 Hash Generator
Derive cryptographic keys from passwords using PBKDF2 with configurable iterations, salt and hash function.
Try freeRSA Key Generator
Generate RSA key pairs (2048 or 4096 bit) in PEM format using the Web Crypto API.
Try freeSecure Token Generator
Generate cryptographically secure random tokens in base64url, hex, alphanumeric or UUID v4 format.
Try freeSecurity Hash Generator
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from text or files using the Web Crypto API.
Try freeTOTP Generator
Generate time-based one-time passwords (TOTP) from a base32 secret with live 30-second countdown.
Try freeSecurity tools that run in your browser
Security utilities are different from ordinary converters because the input is often sensitive: a password you are auditing, an API secret, a private key, a JWT payload, a TOTP seed or the file you want to fingerprint. The tools in this collection are designed for local, browser-based workflows. They use JavaScript and browser crypto APIs where possible, which means you can check, generate or transform security data without handing it to a server-side service.
Choose the right tool for the security job
Use the password generator when you need a new random credential, and the password strength checker or password entropy calculator when you need to evaluate an existing password or passphrase. Use the security hash generator to calculate SHA checksums for text or files, and the PBKDF2 hash generator when you need password-based key derivation rather than a plain checksum.
For authentication and API debugging, the HMAC generator signs messages with a shared secret, the Basic Auth header generator builds the exact HTTP header value expected by older APIs, and the JWT decoder lets you inspect token claims before you trust them. For key material, the RSA key generator creates key pairs locally, while the AES encrypt/decrypt tool handles symmetric encryption using AES-GCM.
Practical privacy model
ZeroUtil security tools are built for quick checks and developer operations, not as a replacement for a password manager, hardware security key, vault, or production key-management system. They are most useful when you need transparent client-side behavior: verify a downloaded file hash, generate a throwaway token for a local script, inspect a test JWT, calculate a TOTP code from a saved secret, or explain why a password is weak. For production secrets, keep your source of truth in a dedicated vault and rotate anything that may have been exposed elsewhere.
Common security workflows
- Password review - compare length, character set, entropy and obvious pattern risks before updating old credentials.
- Hash and checksum verification - calculate SHA-256 or SHA-512 for downloads, release artifacts or text snippets.
- API authentication - build Basic Auth headers or HMAC signatures for debugging requests against private services.
- Token inspection - decode JWT headers and claims locally so you can check expiry, issuer and audience fields.
- Key and code generation - create RSA key pairs, random tokens and TOTP codes without server-side storage.
Frequently Asked Questions
What does this security tools collection do?
It groups browser-based tools for common password, cryptography, token, key and API authentication tasks. You can generate passwords and tokens, inspect JWTs, calculate hashes and HMACs, build Basic Auth headers, generate RSA keys, derive PBKDF2 hashes, and run AES encryption workflows from one category page.
Is it safe to use these online security tools?
They are designed for local browser use, which is safer than tools that upload secrets for server-side processing. You should still avoid pasting production master passwords, long-term private keys or live customer secrets into any website unless you have reviewed and trust the code path.
Does data leave my browser?
The security tools in this category are intended to process user input in the browser and not send passwords, tokens, secrets, keys or generated outputs to ZeroUtil servers. For extra assurance, open your browser network panel before typing sensitive test data and confirm that no requests are made by the tool interaction.
Which tool should I use for password strength?
Use the password strength checker when you want a practical score with warnings about common patterns, repeated characters and weak formats. Use the password entropy calculator when you want the bit estimate and crack-time model behind a password or passphrase.
What is the difference between a hash and an HMAC?
A hash such as SHA-256 fingerprints data without a secret, so anyone can calculate the same digest for the same input. An HMAC combines the message with a shared secret, making it suitable for API signatures and message authentication because only parties with the secret can reproduce the value.
Can I use these tools for production secrets?
Use them for inspection, debugging, local generation and education, but keep production secrets in a password manager, vault or key-management system. If a live secret has been pasted into any web page by mistake, rotate it according to your normal incident process.