Hashes, encoding, and secrets: how to pick a tool

Integrity: when a hash is the right answer

A cryptographic hash maps input of any size to a short fingerprint. It is designed to be one-way: you can verify whether two inputs match by comparing hashes, but you should not treat a hash as a secret.

Use SHA-256 on salamyx.com when you need checksums, release artifacts, or quick equality checks for text. Use the file hash page when the input is a local file and you still want browser-side processing.

MD5 may still appear in legacy systems; treat it as a compatibility footgun, not a security anchor.

Encoding: Base64 and friends are not encryption

Base64 re-represents binary data as ASCII-safe text. Anyone can decode standard Base64 without a key. That makes it great for transport and debugging, and a poor choice for hiding sensitive information.

If a workflow needs confidentiality, you need encryption with proper keys, rotation, and threat modeling—not a hash line and not Base64 alone.

Secrets: passwords, tokens, UUIDs, and random hex

Random passwords and random hex on this site are built for generating strong material in the browser. Passwords should be long, unique per service, and stored with a password manager.

UUIDs are identifiers, not magic secrets. They are fine for database keys and correlation IDs; do not use a bare UUID as an authentication token unless it is drawn from a high-entropy process and protected like any other secret.

Browser tools versus APIs

Static tool pages are built for quick, one-off work and spell out privacy and limits in plain language. Tools API v1 publishes titles, routes, and short hints so integrations can send people to the right tool—it does not run the tools for you.

Commercial API pages describe paid, server-side workflows—not the same promises as the free in-browser utilities.