Security Pillar
Web Security Tools: A Beginner's Masterclass
Security is one of those topics that scares people into either ignoring it completely or overdoing it in ways that create new problems. This guide is the middle path. If you have ever wondered why your senior dev keeps insisting on bcrypt instead of SHA-256 for passwords, what a Caesar cipher is actually good for, or why "encryption" and "encoding" are not the same thing, this piece is for you.
We will walk the ladder from the dumbest possible ciphers to modern authenticated encryption, stop along the way to look at real-world attacks, and show you how to experiment with every concept using tools that run entirely in your browser — no accounts, no uploads, no chance of leaking whatever you paste.
The threat landscape in 2026
Attackers in 2026 mostly do not break cryptography. They go around it. The dominant attack classes for web applications have stayed remarkably stable for a decade: credential stuffing, phishing, insecure direct object references, server-side request forgery, and old-fashioned XSS. The tools on the defense side have improved, but the attackers have better automation too, and that evens out.
Who is attacking what
If you run a small web app, you are not being targeted by nation-states. You are being hit by opportunistic bot traffic that crawls for known vulnerabilities, stolen credentials replayed across sites, and the occasional scraper. Your defensive goal is not to be impenetrable — it is to be slightly harder than the next target. Most breaches happen because a project shipped with a default credential, an unsanitized input, or a dependency with a published CVE that nobody patched.
The supply chain problem
The CVE database lists thousands of known vulnerabilities in open-source packages. If you pull in fifty dependencies, odds are at least one of them has a published issue. Running an SCA (software composition analysis) scan before you deploy is table stakes now, not a nice-to-have. Services like GitHub Advisories and OSV.dev surface this for free.
What's new this year
Post-quantum cryptography standards landed. NIST finalized ML-KEM (Kyber) and ML-DSA (Dilithium) as the first post-quantum primitives, and browsers started rolling out hybrid TLS 1.3 that combines classical X25519 with Kyber. You don't need to do anything about it — your TLS library will — but knowing the terminology helps when you read the news.
Password hygiene: why complexity still matters
People love to claim "length beats complexity" and then generate 8-character passwords. Both length and entropy matter. The practical rule: generate passwords you will never memorize, store them in a manager, and let the machine do the work.
How long is long enough
For a human-memorable passphrase, four or five random dictionary words from a list of ~7,000 gives you about 57–70 bits of entropy. For a random-character password, 16 characters from a 94-character set gives you roughly 105 bits. Both are more than enough against offline brute force, assuming the site stores your password with a strong KDF and not MD5. Use Password Generator to produce one now; it runs in your browser via crypto.getRandomValues(), so the output can be processed without a FastTool upload workflow.
Rotation is mostly obsolete
The old advice of "rotate your password every 90 days" is gone. NIST SP 800-63B explicitly says not to force periodic rotation without a reason. The rationale: forced rotation leads people to increment ("Summer2025!" → "Summer2026!"), which is worse than keeping a strong one. Rotate when there's an incident. Otherwise, leave it.
The multi-factor step-up
Passwords alone are not enough for anything that matters. Second factors — hardware keys (YubiKey, Titan), TOTP apps, or passkeys (the FIDO2/WebAuthn standard) — raise the bar dramatically. If a site supports passkeys, use them. They eliminate phishing as an attack vector because the private key can be processed without a FastTool upload workflow. For passwords themselves, check quality with a password strength checker; or better, just trust your generator.
Hashing vs encryption vs encoding: the fundamental triad
This is the single most confused topic in security. I have seen senior engineers say "let's encrypt the passwords" when they mean hash them. Let us nail it down.
Encoding: not security
Encoding is a reversible transformation that changes how data is represented, not what it says. Base64 turns binary bytes into ASCII so you can stick an image in an email. URL encoding turns spaces and special characters into %XX escapes. HTML entities turn < into &lt; so a browser doesn't parse it as a tag. Encoding is a format concern, not a security concern. Anyone can reverse it. If someone tells you they "encrypted" something with Base64, correct them gently.
Hashing: one-way
A cryptographic hash takes any input and produces a fixed-size output in a way that you cannot run backward. Given the hash, you cannot recover the input except by guessing. Good hashes for passwords are scrypt, bcrypt, Argon2, and PBKDF2 — all deliberately slow, which hurts attackers more than it hurts your server. Good hashes for data integrity (file checksums, digital signatures) are SHA-256, SHA-3, and BLAKE3 — fast, collision-resistant, not designed for passwords. Use Hash Generator to compute SHA-256 or MD5 on arbitrary text, and Bcrypt Generator for password hashes with adjustable cost.
Encryption: two-way, with a key
Encryption transforms plaintext into ciphertext so that only someone with the key can recover the original. Symmetric encryption uses the same key on both ends (AES, ChaCha20). Asymmetric encryption uses a key pair — public for encrypting, private for decrypting (RSA, Curve25519). Modern systems almost always combine the two: asymmetric to exchange a symmetric key, then symmetric for the actual data, because symmetric is dramatically faster.
| Technique | Reversible? | Needs a key? | Use it for |
|---|---|---|---|
| Encoding (Base64, URL, HTML) | Yes, trivially | No | Safe transport of binary data |
| Hashing (SHA-256) | No | No | Integrity checks, signatures |
| Password hashing (bcrypt, Argon2) | No, by design | No (salt is not a key) | Storing user credentials |
| Symmetric encryption (AES-GCM) | Yes, with key | Yes | Bulk data at rest or in transit |
| Asymmetric encryption (RSA, ECDH) | Yes, with private key | Key pair | Key exchange, signatures |
Classic ciphers as a learning ladder
Nobody uses Caesar ciphers in production. That is not the point. Working through the classical ciphers in order gives you intuition for why modern cryptography looks the way it does — every design choice in AES or ChaCha20 is a response to a weakness in a simpler scheme.
The substitution family
A substitution cipher replaces each letter with another letter. The most famous is Caesar, which simply shifts by a fixed number. Caesar Cipher is a fine way to experiment: set shift = 13 and you have ROT13, which is still used for hiding spoilers. Atbash reverses the alphabet (A↔Z, B↔Y) and shows up in ancient Hebrew texts. Affine cipher generalizes Caesar by applying a linear function over Z/26. All of them break in seconds to a frequency analysis: English text has well-known letter distributions, and any monoalphabetic cipher preserves them.
The polyalphabetic upgrade
If a monoalphabetic cipher falls to letter frequency, the fix is to use multiple alphabets. Vigenère cipher uses a keyword to shift each letter by a different amount. For three hundred years it was considered unbreakable. Then Friedrich Kasiski and Charles Babbage figured out that if you find repeated sequences in the ciphertext, the distance between them is often a multiple of the key length, which lets you slice the ciphertext into as many Caesar ciphers as the key is long, and solve each one separately. The lesson: any pattern an attacker can see is a hole.
Transposition ciphers
Instead of replacing letters, transposition ciphers rearrange them. The Rail Fence Cipher writes the message in a zigzag across N rows and reads off row by row. It is trivially breakable but useful to understand because modern block ciphers still use transposition (permutation) steps internally.
Mixed classical schemes
The Playfair cipher operates on digraphs (pairs of letters) which breaks simple frequency analysis and was used by British forces in both World Wars. Bacon's cipher encodes each letter as a 5-bit binary pattern expressed through typographic variation — an early steganographic scheme. Both are too slow and weak for modern use, but they introduce essential ideas: bigram statistics, information hiding, and the difference between a cipher's algorithm and its key.
Why it all failed
Every classical cipher died the same way: statistical structure in the plaintext leaked through the ciphertext. Modern ciphers are designed so that the output looks statistically indistinguishable from random, regardless of the input. Getting there required a century of math.
Modern cryptography primitives every developer should know
AES: the workhorse
AES (Advanced Encryption Standard) is the symmetric cipher behind most of the internet's data at rest. It operates on 128-bit blocks with 128, 192, or 256-bit keys. AES-256-GCM is the recommended default: GCM (Galois/Counter Mode) provides both confidentiality and authentication, meaning an attacker cannot tamper with the ciphertext without detection. If you ever see "AES-ECB" in a codebase, that is a code smell — ECB mode leaks patterns and is never safe for real data.
ChaCha20-Poly1305: the challenger
ChaCha20 is a stream cipher with excellent performance on CPUs that lack AES hardware (mobile, embedded). Combined with the Poly1305 authenticator, it forms an authenticated encryption construction that is the default in TLS 1.3 for many clients. For practical purposes, AES-GCM and ChaCha20-Poly1305 are interchangeable: pick whichever your library prefers.
JWT: pragmatic but perilous
JSON Web Tokens are a compact way to carry claims between services. A JWT is three Base64url-encoded parts joined by dots: header, payload, signature. The signature is computed over the first two parts with either a shared secret (HMAC) or a private key (RSA/ECDSA). JWTs are fine for stateless auth if you use a strong algorithm, validate the algorithm header strictly, and expire tokens quickly. JWT Decoder lets you inspect a token's claims without verifying the signature, which is useful for debugging — but remember, decoding is not validation.
Key derivation functions
When you need to turn a password into a key, you do not hand that password straight to AES. You run it through a key derivation function (KDF) that is slow on purpose, so that offline brute force is expensive. PBKDF2, scrypt, and Argon2id are the three to know. Argon2id, which won the Password Hashing Competition in 2015, is the modern recommendation. Every KDF takes a salt so that identical passwords hash to different values — a critical defense against rainbow tables.
OWASP Top 10 and how to verify against them
The OWASP Top 10 is the industry reference for common web-app vulnerabilities. It is not exhaustive, but if you systematically defend against all ten, you have eliminated the majority of practical attacks. Here is the short version with concrete testing suggestions.
A01 – Broken Access Control
Most common cause of real incidents. Every endpoint that returns user data should verify that the caller has permission for that specific record. Test by creating two accounts, getting a URL from account A, and calling it as account B. If it works, you have an IDOR.
A02 – Cryptographic Failures
Storing passwords in plaintext, using MD5 for integrity, rolling your own crypto, leaking keys in source control. The fix: use your language's vetted library (libsodium, Web Crypto, Go's crypto/*, Rust's ring), never implement a primitive yourself, and run a secret scanner over your repo.
A03 – Injection
SQL injection is the canonical example, but command injection, LDAP injection, and template injection are all in this family. The universal fix: parameterize. Never concatenate user input into a query string. Use prepared statements. Test with Regex Tester when you need to validate input patterns — but regex is a weak defense on its own, not a primary one.
A04 – Insecure Design
Threat modeling at design time prevents entire vulnerability classes that patches cannot fix later. If you have not asked "what could go wrong?" before coding, you will ask it after the breach.
A07 – Identification & Authentication Failures
Weak password policies, missing rate limiting, session tokens in URLs. Rate limit login attempts aggressively. Invalidate sessions on password change. Use HTTP-only, secure, SameSite=Lax cookies for session IDs.
A10 – Server-Side Request Forgery
If your app fetches URLs on behalf of users, an attacker can point it at internal endpoints. Block private IP ranges at the HTTP client level, and never trust user-provided URLs without a strict allowlist.
Privacy-first security tooling
Security experimentation should never leak the thing you are experimenting on. A browser-based tool that runs fully on your machine is the right way to learn. You can paste real keys, real hashes, and real tokens without worrying about a server seeing them. Here is how to think about the tooling.
Verification in DevTools
Every tool you use for security should pass the DevTools test. Open Network. Clear. Perform the action. If the only requests are static asset loads, the tool is legitimately client-side. If you see a POST to a server when you hit "encrypt," stop immediately.
Hash-and-compare workflows
When you download a file and the publisher lists a SHA-256 hash, compute the hash locally and compare. Hash Generator handles text; for files, most operating systems ship shasum -a 256 on the command line. A match confirms integrity; a mismatch means the file was altered in transit or at rest.
Safe decoding in triage
When you are investigating a suspicious URL or payload, decoding is often the first step — but you should decode in a sandbox, not on the target machine. Base64 Encoder/Decoder, URL Encoder/Decoder, and HTML Entities Encoder let you flip encoding layers quickly without running the payload.
Incident response basics
An incident will happen. The measure of a team is not "did we get breached" but "how fast did we contain it and what did we learn." The simplest effective incident response plan has four steps.
1. Contain
Revoke compromised credentials immediately. Rotate API keys. Invalidate sessions. Pull the affected machine off the network if you can. Containment takes precedence over investigation.
2. Preserve evidence
Before you reboot anything, snapshot disk state, memory, and logs. The reboot is often what destroys the evidence you need for a root cause analysis.
3. Investigate
Walk back from the first indicator to the entry point. How did the attacker get in? What did they touch? Logs from your CDN, reverse proxy, application, and database are the core timeline. The MITRE ATT&CK framework gives you a vocabulary for the techniques you observe.
4. Remediate and learn
Patch the hole. Then write up what happened without blame. Change processes, not just code, so the same class of incident does not repeat. Publish a postmortem if you owe users transparency. The hardest part is being honest about the gap between "what we thought we had in place" and "what we actually had."
FAQ
Is MD5 ever OK to use?
For integrity checks on non-adversarial data (detecting disk bit rot on your own backups, for example), MD5 is fast and cheap and fine. For anything touching security — signatures, passwords, cache keys in an adversarial environment — MD5 is broken. Use SHA-256 or BLAKE3 instead.
Can I write my own encryption?
No. Really, no. Every production cryptographer will tell you the same thing. The failure modes are subtle, and you will not find them in testing. Use libsodium, Web Crypto, or your language's audited library. If you want to learn, implement it as an exercise and then throw the code away.
Should I hash the password on the client before sending it?
Generally no. The hash becomes the effective password, so you have not gained anything. What actually helps is TLS (which you already have) plus server-side slow hashing with a strong KDF. Client-side hashing only makes sense in specific zero-knowledge architectures.
Is Base64 encryption?
No. Base64 is encoding. Anyone can decode it. If your app relies on Base64 to "hide" a value, the value is public.
Do I need to care about post-quantum yet?
For TLS, your library will handle it. For long-lived data — encrypted archives that should remain confidential for 20+ years — you should be planning. An attacker can store your ciphertext today and decrypt it once quantum computers are capable. For everything short-lived (session tokens, ephemeral messages), you have time.
What is the difference between authentication and authorization?
Authentication proves who you are. Authorization decides what you are allowed to do. "Log in with Google" is authentication. "Only admins can delete a post" is authorization. Confusing the two causes most access-control bugs.
Where should I practice?
Start with classical ciphers in this guide. Then try the Cryptopals Challenges, which are free and teach modern cryptography by breaking it. Follow up with OWASP's Juice Shop for deliberately vulnerable web apps.
How do I stay current?
Subscribe to the Krebs on Security blog for investigative reporting, the oss-security mailing list for raw disclosures, and your language's security advisories feed for patches. Set a 30-minute weekly slot. That is enough.
Closing thought
Security is boring until it is not. The work that matters most is the boring work: strong passwords stored in a manager, MFA everywhere, dependencies up to date, every input validated, every hash salted and slow. Big heroic moments during incidents come from having done the boring work first. The tools in this guide are a starting kit — everything you need to experiment, verify, and learn without leaking anything to anyone.