100% client-side — your input never leaves your browser.Verify

Security Tools

Generate strong passwords, hash files, sign webhook payloads with HMAC — all in your browser. Open DevTools → Network and confirm: no request leaves your tab when you click a button.

Built for password, hash and signature workflows

Three tools: a configurable password generator, a multi-algorithm hash tool (MD5, SHA-1, SHA-256, SHA-384, SHA-512), and a dedicated HMAC generator for webhook signature verification (Stripe, GitHub, Slack, Twilio, JWT). All use the browser's native Web Crypto API where available — no external dependency.

Start with Password Generator for a strong password, Hash Generator for checksums and Subresource Integrity, or HMAC Generator for webhook signatures.

🔒

Password Generator

Generate strong, random passwords with customizable length and character sets.
#️⃣

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384, SHA-512 hashes from text or files. Hex or Base64 (SRI ready).
🔏

HMAC Generator

Sign payloads with HMAC-SHA-256 / SHA-512 for webhook verification (Stripe, GitHub, Slack, Twilio) and JWT.

Frequently Asked Questions

How is randomness generated for passwords?

Via crypto.getRandomValues() (Web Crypto API), a cryptographic entropy source provided by the operating system. Math.random() is never used — it isn't secure for password generation.

Why offer MD5 and SHA-1 alongside SHA-256 and SHA-512?

MD5 and SHA-1 are cryptographically broken but remain useful for verifying file integrity against legacy hashes or comparing to existing systems. SHA-256 and SHA-512 are the right choice for any new use.

Is the password generator suitable for use with a password manager?

Yes. Generated passwords are copyable and meet expected entropy levels. Praticulus is not a manager (no storage), just a generator — paste the result into your manager of choice.

Are passwords ever sent to a service like "Have I Been Pwned"?

No, never. Open DevTools → Network before generating a password, you will see zero outbound requests. Same contract as every tool on this site.

When will JWT decoder, certificate decoder and TOTP generator be available?

Planned — see Coming next on this page and tool-saturation-security-v1 in our roadmap. All three will run client-side, with no token, certificate or secret ever leaving your browser.