Security Tools
Generate passwords, hash files, sign webhook payloads, decode JWTs and certificates, build TOTP codes, all in your browser. Open DevTools → Network and confirm: no request leaves your tab when you click a button.
Built for password, hash, signature and token workflows
Six tools: a configurable password generator, a multi-algorithm hash tool (MD5, SHA-1, SHA-256, SHA-384, SHA-512), a dedicated HMAC generator for webhook signatures (Stripe, GitHub, Slack, Twilio), a JWT decoder with local signature verification, an X.509 / PEM certificate decoder, and a TOTP two-factor code generator. All use the browser's native Web Crypto API where available, no external dependency.
Start with Password Generator for a strong password, Hash Generator for checksums, HMAC Generator for webhook signatures, or the JWT Decoder to inspect a token.
Password Generator
Generate strong, random passwords with customizable length and character sets.
Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-384, SHA-512 hashes from text or files. Hex or Base64 (SRI ready).
HMAC Generator
Sign payloads with HMAC-SHA-256 / SHA-512 for webhook verification (Stripe, GitHub, Slack, Twilio) and JWT.
JWT Decoder
Decode a JSON Web Token, inspect claims and expiry, and verify HS256/RS256/ES256 signatures locally.
Certificate Decoder
Parse X.509 / PEM certificates: subject, issuer, SANs, validity, key algorithm and SHA-256 fingerprint.
TOTP Generator
Turn a Base32 secret into live two-factor codes (RFC 6238) with an otpauth QR for authenticator apps.
Frequently Asked Questions
How is randomness generated for passwords?
Via crypto.getRandomValues() (Web Crypto API), a cryptographic entropy source provided by the operating system. Math.random() is never used: it isn't secure for password generation.
Why offer MD5 and SHA-1 alongside SHA-256 and SHA-512?
MD5 and SHA-1 are cryptographically broken but remain useful for verifying file integrity against legacy hashes or comparing to existing systems. SHA-256 and SHA-512 are the right choice for any new use.
Is the password generator suitable for use with a password manager?
Yes. Generated passwords are copyable and meet expected entropy levels. Praticulus is not a manager (no storage), just a generator. Paste the result into your manager of choice.
Are passwords ever sent to a service like "Have I Been Pwned"?
No, never. Open DevTools → Network before generating a password, you will see zero outbound requests. Same contract as every tool on this site.
Is the JWT decoder RFC 7519 compliant, and does it verify signatures locally?
Yes. It decodes the Base64url header and payload per RFC 7519 and verifies HS256/384/512, RS256/384/512 and ES256/384/512 signatures with the browser's native crypto.subtle.verify: your token, secret and keys never leave the tab.