Konvertio is a free collection of 136+ free online developer tools including encoders, formatters, generators, and converters. All tools run directly in your browser with no data sent to servers.

Is Konvertio free to use?

Yes, all tools on Konvertio are completely free. No signup, no account, no limits.

Absolutely. All tools run entirely in your browser. Your data never leaves your device — nothing is sent to any server.

What tools does Konvertio offer?

Konvertio offers 136+ free online developer tools across 5 categories: Encoders & Decoders (Base64, JWT, URL encoding, hashing), Formatters & Linters (JSON, SQL, CSS, XML, YAML), Generators (passwords, UUIDs, QR codes, Lorem Ipsum), Converters (JSON↔YAML, HTML→JSX, units, colors), and Text Tools (diff checker, word counter, regex tester, markdown preview).

Do I need to create an account?

No. Konvertio requires no signup, login, or account creation. Just visit and start using any tool instantly.

PBKDF2-SHA256 Hash Generator

Hash and verify passwords using PBKDF2-SHA256 via the Web Crypto API.

Mode

Password

Cost (iterations)

Frequently Asked Questions

PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function that applies a pseudorandom function (here HMAC-SHA256) to a password along with a salt, repeating the process many times to produce a derived key. The high iteration count makes brute-force attacks computationally expensive.

Bcrypt uses the Blowfish cipher with an expensive key-setup phase and is memory-hard, making it resistant to GPU attacks. PBKDF2-SHA256 is CPU-bound and widely supported in browsers via the Web Crypto API. Both are acceptable for password hashing; bcrypt is generally preferred server-side, while PBKDF2 is the standard choice for browser-based hashing.

The cost factor controls how many PBKDF2 iterations are performed: cost 10 = 100,000 iterations, cost 12 = 400,000, cost 14 = 1,600,000. Higher values make hashing slower and more resistant to brute-force attacks but take longer to compute.

Client-side hashing adds a layer of protection (the plaintext password never leaves the browser), but it should not replace server-side hashing. Ideally, hash on the client AND again on the server for defense in depth.

A salt is random data added to the password before hashing. It ensures that identical passwords produce different hashes, defeating pre-computed rainbow-table attacks. This tool generates a cryptographically random 16-byte salt for every hash operation.