Password hash & token scrubber
Logs and config snippets are full of things you should never paste into a chat window — bcrypt hashes, JWTs, bearer tokens, API keys, session IDs. The moment they leave your machine they can be cracked, replayed, or abused. This scrubber scans pasted text for the well-known secret and hash formats and swaps each one for a type-labeled placeholder, so you can share a sanitised version with an AI or a colleague while keeping the log structure intact.
What gets detected and why each type matters
| Format | Pattern | Why it’s sensitive |
|---|---|---|
| Bcrypt hash | Starts with $2a$ or $2b$ followed by cost and hash | Offline crackable, especially with weak source passwords |
| Argon2 hash | Starts with $argon2id$ or $argon2i$ | Same risk; newer hashes but still crackable given the right input |
| MD5 hex hash | 32 hex characters | Extremely fast to crack; MD5 password hashes are considered broken |
| SHA-1 hex hash | 40 hex characters | Also fast offline; widely deprecated for passwords |
| SHA-256 hex hash | 64 hex characters | Slower but still crackable without proper salting |
| JWT (JSON Web Token) | Three base64url segments separated by dots | Often contains user identity and session data; valid until expiry |
| Bearer / OAuth token | Bearer prefix + token string | Live credential; grants API access immediately |
| AWS-style API key | AKIA prefix + 16 uppercase chars | Cloud credentials; can control infrastructure if leaked |
| Generic API key | Long alphanumeric strings matching common key patterns | Varies by service; often has wide access scope |
| Session IDs | Long opaque hex or base64 strings | Can be replayed to hijack user sessions |
How it works
Everything runs locally in your browser. The tool applies a regular expression pattern for each format listed above. Each match is replaced inline with a placeholder like [REDACTED_JWT] or [REDACTED_BCRYPT], and you get a per-type count so you know exactly what was removed. The surrounding log lines are left untouched so the output stays readable and useful for debugging.
When to use this tool
The most common scenario is pasting a log snippet into a ChatGPT, Claude, or Copilot chat while debugging a production issue. Logs from authentication services, API gateways, and middleware layers routinely contain hashes and tokens, sometimes unexpectedly. A quick paste-and-scrub before sharing with an AI assistant takes seconds and eliminates a whole category of accidental credential exposure.
It is also useful before:
- Creating a GitHub issue with a log snippet
- Sharing a debug excerpt with a contractor or support team
- Posting to Stack Overflow or a community forum
- Screenshotting a terminal for documentation
Limits and what to do anyway
Because this is pattern-based it excels at standard, widely-used formats but cannot recognise every bespoke token scheme. A proprietary internal session token that looks like random ASCII will not be matched. Always review the output by eye before sharing, and never treat a clean result as proof there are no secrets left.
For anything that has already been shared in its original form: rotate the credential. Redaction is a preventive step, not a retroactive one — once a token or hash has been exposed to another party, the only safe action is to invalidate it.