Blog
Practical cryptography for developers. No padding.
Base64 Is Not Encryption
It's encoding. Anyone can reverse it without a key, in two seconds, in any language. Here's why the confusion keeps happening and what to use instead.
May 30, 2026·4 min readGoogle Already Knows What Your MD5 Hash Says
Paste an unsalted MD5 hash of a common password into Google. You'll get the original password back. This is why salting exists — and why MD5 still shows up in breach dumps.
May 30, 2026·5 min readAES-256 Is Strong. Using a Password Directly as the Key Is Not.
The encryption is fine. The part that breaks is how the key gets generated from a human-chosen password. Here's what PBKDF2 and proper key derivation actually do.
May 30, 2026·6 min readSHA-256 vs SHA-512 — Which Should You Use?
The number is the output size in bits. But that's not the whole story — they behave differently on different hardware, and the ecosystem has opinions about which one to use where.
May 18, 2026·5 min readWhy MD5 Is Broken for Passwords
MD5 has collision attacks, yes. But that's not why it's wrong for passwords. The real problem is speed — and how quickly that speed translates to cracked accounts.
May 18, 2026·6 min readHow JWT Actually Works
A JWT is three base64url strings joined by dots. The payload is not encrypted — just encoded. Here's what that means and what the signature actually protects.
May 18, 2026·7 min readBcrypt vs Argon2 vs scrypt in 2026
All three are intentionally slow password hashing algorithms. They differ in what dimensions of cost they let you control — and that matters more than it sounds.
May 18, 2026·6 min read