Passwords, Hashes & UUIDs
Passwords, hashes, and unique identifiers are foundational to web security and application architecture. This guide covers how password strength works mathematically, which hashing algorithms to use (and which to avoid), and how UUIDs provide collision-resistant identifiers for distributed systems.
- Understand password entropy, hashing algorithms (SHA, MD5, bcrypt), and UUID generation.
- Covers password entropy.
- What Makes a Password Strong.
- Covers generating secure passwords.
- What Is Hashing?.
Password Entropy
Password strength is measured in bits of entropy — a mathematical concept that quantifies how unpredictable a password is. The formula is: entropy = log2(possible characters ^ length). A password with 72 bits of entropy means an attacker would need to try 2^72 (roughly 4.7 sextillion) combinations to guarantee finding it.
To put this in perspective: a random 8-character password using lowercase letters only has about 37 bits of entropy. Add uppercase, digits, and symbols, and that jumps to about 52 bits. Extend to 16 characters with the same character set, and you're at 105 bits — well beyond what any brute-force attack can crack.
What Makes a Password Strong
Length matters far more than complexity. A 20-character passphrase of random words ("correct-horse-battery-staple") has more entropy than an 8-character mess of symbols ("P@$$w0rd"), and it's dramatically easier to remember.
-webkit-backdrop-filter alongside backdrop-filter for Safari support. Without the prefix, the effect is invisible to roughly 25% of mobile users.Randomness is the critical factor. A password generated by a cryptographic random number generator is always stronger than one a human chooses, even if the human-chosen password includes special characters. Humans are terrible at being random — we reuse patterns, substitute predictable characters (@ for a, 0 for o), and pick words related to ourselves.
Password reuse is the biggest real-world vulnerability. Even a strong password is worthless if it's used across multiple services. When one service is breached, attackers try the stolen credentials on other services — a technique called credential stuffing.
Generating Secure Passwords
A good password generator uses a cryptographically secure random number generator (CSPRNG) to select characters. In browsers, this means crypto.getRandomValues() — not Math.random(), which is predictable and unsuitable for security purposes.
backdrop-filter inside a position: fixed element can cause severe scroll performance issues. Test thoroughly on real iOS devices.The Password Generator uses this secure approach and lets you customize length, character types, and exclusion rules. All generation happens locally in your browser — no passwords are ever sent to a server.
What Is Hashing?
A hash function takes input of any size and produces a fixed-size output (the hash or digest). The same input always produces the same hash, but even a tiny change in the input produces a completely different hash. Crucially, hashing is a one-way operation — you can't reverse a hash to recover the original input.
Notice how the SHA-256 output is completely different despite only one character changing. This property (the "avalanche effect") is what makes hashes useful for integrity verification and password storage.
Hash Algorithms Compared
MD5 (128-bit output) is fast but broken. Collision attacks are practical, meaning two different inputs can produce the same hash. Never use MD5 for security. It's still acceptable for non-security checksums (verifying file downloads).
SHA-1 (160-bit) is deprecated for security purposes. Google demonstrated a practical collision attack in 2017. Don't use it for new projects.
SHA-256 (256-bit, part of the SHA-2 family) is the current standard for general-purpose hashing. Used in TLS certificates, blockchain, code signing, and data integrity checks. Fast and secure for all current purposes.
SHA-3 (variable output) is the newest SHA standard, designed as a backup in case SHA-2 is ever compromised. It uses a different internal construction (Keccak) and is equally secure, but adoption is slower since SHA-2 remains unbroken.
The Hash Generator supports MD5, SHA-1, SHA-256, and SHA-512 for quick hash computation.
Hashing Passwords (bcrypt, Argon2)
General-purpose hash functions like SHA-256 are too fast for password hashing. An attacker with a GPU can compute billions of SHA-256 hashes per second, making brute-force attacks feasible against short or common passwords.
Password-specific hash functions are intentionally slow. bcrypt has a configurable work factor that controls how many rounds of computation are performed. Argon2 (the winner of the Password Hashing Competition) adds memory-hardness — it requires a configurable amount of RAM, making GPU and ASIC attacks much more expensive.
Both bcrypt and Argon2 automatically incorporate a random salt — a unique value mixed into each password before hashing. Salting prevents precomputed "rainbow table" attacks and ensures that two users with the same password have different hashes.
Checksums & File Integrity
Checksums are hash values used to verify that a file hasn't been corrupted or tampered with. When you download software, the publisher often provides a SHA-256 hash. You compute the hash of your downloaded file and compare — if they match, the file is intact.
UUIDs Explained
A UUID (Universally Unique Identifier) is a 128-bit value formatted as 32 hexadecimal characters in five groups: 550e8400-e29b-41d4-a716-446655440000. UUIDs are designed to be globally unique without requiring a central authority — you can generate them independently on any machine with virtual certainty that no other system will produce the same value.
UUIDs are used as database primary keys, session tokens, correlation IDs in distributed systems, and file identifiers. Their key advantage over sequential IDs is that they can be generated on any node without coordination, making them ideal for distributed architectures.
UUID Versions
v4 (random) is the most commonly used. All 122 non-fixed bits are randomly generated. The probability of collision is astronomically low — you'd need to generate about 2.71 quintillion UUIDs to have a 50% chance of one collision.
v1 (timestamp + MAC) embeds the generation time and the machine's MAC address. This guarantees uniqueness but leaks information about when and where it was generated.
v7 (timestamp + random) is a newer standard that combines a Unix timestamp with random bits. It's sortable by creation time (useful for database indexes) without leaking hardware information like v1. Many teams are adopting v7 as their default for new projects.
The UUID Generator creates v4 UUIDs instantly in your browser. For bulk generation or specific versions, the tool supports batch creation and copy-to-clipboard.
Security Best Practices
Use a password manager to generate and store unique passwords for every service. Use bcrypt or Argon2 for password storage — never SHA-256 or MD5. Use SHA-256 for checksums and data integrity. Use UUID v4 or v7 for identifiers in distributed systems. Always use crypto.getRandomValues() (not Math.random()) when generating security-sensitive values in the browser.
All tools run locally in your browser — nothing is sent to a server.