🔐 Text Encryptor/Decryptor

Input
Output

 Six Methods, Three Different Jobs

Encodings (Base64, URL, Hex) are reversible by anyone — they change representation, not secrecy. Encryption (AES) is reversible only with the key. Hashes (SHA-256, MD5) are one-way fingerprints — there is no "decrypt," only re-hash-and-compare. Base64-ing a password is not encryption; that misunderstanding has caused real breaches.

 How the AES Mode Here Actually Works

  • Web Crypto, locally: encryption runs on your device with the browser's native crypto engine. Plaintext and key never leave your machine — the page works offline.
  • Your passphrase is stretched into a key: a key-derivation step turns your text key into a proper AES key, so the passphrase length isn't the key length — but a guessable passphrase is still the weakest link.
  • Key hygiene: use 16+ random characters (our Random Password Generator is ideal), share the key over a different channel than the ciphertext, and know that a lost key means permanently lost data — there's no recovery backdoor, which is the point.
  • Same key decrypts anywhere: the recipient opens this page, selects AES, pastes the ciphertext, enters the same key.

 A Short History of Broken Hashes

Hashes age. MD5 (1992) was fully collision-broken by 2004 — researchers can now craft two different files with the same MD5 in seconds, which is how a forged certificate authority was demonstrated in 2008. SHA-1 followed in 2017 (Google's "SHAttered" collision). SHA-256 remains solid and is what Bitcoin, TLS certificates, and modern signatures rely on. Practical rule: MD5 only for non-security jobs (cache keys, dedup checks); SHA-256 for anything an attacker might touch; and for storing user passwords, use a dedicated slow hash (bcrypt/argon2) on the server, not a fast hash at all.

 Frequently Asked Questions

Why does Base64 output end with = signs?

Padding: Base64 emits 4 characters per 3 input bytes, and = fills the remainder when input length isn't divisible by 3. It's a format artifact, not part of your data.

Can "MD5 decrypt" sites really reverse a hash?

No — they look the hash up in giant precomputed tables of common inputs. Random or long inputs aren't in any table. That's also why password salts exist: they make precomputed tables useless.

What's URL encoding for, really?

URLs only allow a limited character set, so spaces, non-ASCII text, and reserved characters become %XX escapes of their UTF-8 bytes. If a query parameter contains & or =, failing to encode it silently corrupts the request — the classic broken-link bug.

Is anything I type sent to your server?

No. All six operations run in-browser via the Web Crypto API and plain JavaScript. Disconnect from the network and the tool keeps working.