Blog
Practical cryptography for developers. No padding.
SHA-256 vs SHA-512 — Which Should You Use?
The number is the output size in bits. But that's not the whole story — they behave differently on different hardware, and the ecosystem has opinions about which one to use where.
May 18, 2026·5 min readWhy MD5 Is Broken for Passwords
MD5 has collision attacks, yes. But that's not why it's wrong for passwords. The real problem is speed — and how quickly that speed translates to cracked accounts.
May 18, 2026·6 min readHow JWT Actually Works
A JWT is three base64url strings joined by dots. The payload is not encrypted — just encoded. Here's what that means and what the signature actually protects.
May 18, 2026·7 min readBcrypt vs Argon2 vs scrypt in 2026
All three are intentionally slow password hashing algorithms. They differ in what dimensions of cost they let you control — and that matters more than it sounds.
May 18, 2026·6 min read