🔒
Security
Security Tools FAQ — Hashing, Encryption, Passwords & Authentication
Security-focused answers about hashing vs encryption, password storage best practices, JWT security, and how to protect sensitive data. Essential reading for developers handling authentication.
Q1 What is the difference between hashing and encryption?
Hashing is a one-way function — you cannot recover the original data from a hash. It's used for verifying integrity (file checksums) and storing passwords. Encryption is two-way — data is encrypted with a key and can be decrypted with the same key (symmetric) or a paired key (asymmetric). Use hashing for passwords and data verification; use encryption when you need to recover the original data later. Generate hashes with the Hash Generator.
Q2 How should I store passwords in a database?
Never store passwords in plain text or with simple hashing (MD5, SHA-256). Use a dedicated password hashing algorithm: bcrypt, Argon2, or scrypt. These algorithms are intentionally slow (to resist brute-force) and automatically include a unique salt per password. In Python:
bcrypt.hashpw(password, bcrypt.gensalt()). In Node.js: bcrypt.hash(password, 12). The salt prevents rainbow table attacks.
Q3 Is a JWT token secure?
A JWT is only as secure as its signature and how you handle it. The payload is Base64url-encoded, not encrypted — anyone can read it. Security comes from the signature (HMAC-SHA256 or RSA), which prevents tampering. Best practices: (1) use short expiry times (15–60 minutes); (2) never store sensitive data in the payload; (3) validate the signature server-side; (4) use HTTPS only. Inspect any JWT with the JWT Decoder.
Q4 What is a salt in password hashing?
A salt is a unique random string added to each password before hashing. Without salt, identical passwords produce identical hashes — an attacker with a pre-computed rainbow table can crack them instantly. With salt, each password hash is unique even if the passwords are the same. Modern algorithms (bcrypt, Argon2) generate and store the salt automatically. Never implement your own salting — use the library's built-in mechanism.
Q5 Which hash algorithm should I use?
For passwords: use Argon2id (winner of the Password Hashing Competition) or bcrypt. For file integrity: use SHA-256 or SHA-512. For non-security checksums (caching, deduplication): MD5 or CRC32 are fine due to speed. Never use MD5 or SHA-1 for security — both have known collision attacks. Generate and compare hashes with the Hash Generator.
Q6 How do I securely store API keys and secrets?
Never hardcode secrets in source code or commit them to Git. Best practices: (1) use environment variables (
process.env.API_KEY); (2) use a secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler); (3) add .env to .gitignore; (4) rotate keys regularly; (5) use different keys per environment (dev/staging/prod). If a key is accidentally committed, consider it compromised — rotate it immediately.
Q7 What is HTTPS and why is it important?
HTTPS encrypts all data between the browser and server using TLS (Transport Layer Security). Without HTTPS, passwords, cookies, and API tokens travel in plain text and can be intercepted on public WiFi or by ISPs. HTTPS also prevents content tampering and is a Google ranking factor. Modern browsers mark HTTP sites as 'Not Secure'. Use free TLS certificates from Let's Encrypt — there is no reason not to use HTTPS in production.
Q8 What is two-factor authentication (2FA) and how does it work?
Two-factor authentication requires two different types of proof: something you know (password) and something you have (phone, hardware key). Common 2FA methods: (1) TOTP codes (Google Authenticator, Authy) — time-based 6-digit codes rotating every 30 seconds; (2) SMS codes — less secure due to SIM swapping; (3) hardware keys (YubiKey) — most secure. Always enable 2FA on accounts that support it, especially GitHub, AWS, and email.
Free Security Tools
All tools run in your browser — no signup, no data sent to servers.