Logo

MonoCalc

/

Image Steganography

Encode/Decode

1. Upload Carrier Image

Drag & drop or click to upload

PNG, BMP, WebP only · Max 10 MB

2. Configure Message

Text to hide inside the image
AES-256 encryption (min. 8 chars)
Higher = more capacity, slight quality risk

About This Tool

🕵️ Image Steganography – Hide Secret Text Inside Images

Image steganography is the practice of concealing a secret message inside an ordinary image file so that no one — except the intended recipient — knows the hidden data exists. Unlike encryption, which scrambles data into an unreadable form, steganography hides the very existence of the secret. Combined, they form a powerful privacy tool.

How LSB Steganography Works

Every pixel in a colour image is represented by three 8-bit numbers (Red, Green, Blue). The Least Significant Bit (LSB) technique overwrites the lowest-order bit of each colour channel with one bit of secret data. Changing the LSB alters the colour value by at most 1 out of 255 — a difference completely imperceptible to human vision.

Example pixel:  R=200  (11001000)
Hide bit '1':   R=201  (11001001)  ← 1 value difference, invisible

The Encoding Process

The tool follows these steps when you click Encode & Download:

  1. Load the carrier image onto an HTML5 <canvas> element.
  2. Read pixel RGBA data with ctx.getImageData().
  3. If a password was provided: encrypt the message with AES-256-CBC, deriving the key via PBKDF2 (100,000 iterations, SHA-256).
  4. Prepend a 25-byte header: STEG magic (4 bytes) + flags byte + message length (4 bytes) + AES initialisation vector (16 bytes).
  5. Overwrite the LSB(s) of sequential R, G, B channels with bits of the payload.
  6. Write modified pixels back and export the canvas as a lossless PNG.

Capacity Formula

The maximum number of bytes you can hide depends on image dimensions and the selected LSB depth:

capacity (bytes) = ⌊(width × height × 3 channels × lsbDepth) / 8⌋ − 25

Example: 1920 × 1080 image at 1 LSB
= ⌊(1920 × 1080 × 3 × 1) / 8⌋ − 25 = 777,571 bytes ≈ 760 KB

LSB Depth Trade-offs

LSB DepthCapacity MultiplierVisual ImpactRecommended Use
1 bitImperceptibleDefault — maximum stealth
2 bitsNegligibleSmall text in large images
3 bitsSlight (visible on close inspection)Educational demos
4 bitsNoticeable (colour banding possible)Maximum capacity tests

Password Encryption (AES-256-CBC)

When you provide a password, the tool adds a second layer of security. Even if someone detects that an image has hidden data, they cannot read it without the passphrase. The implementation uses the browser's native Web Crypto API — no external libraries, no network calls. Your secret never leaves your device.

  • Algorithm: AES-256-CBC (256-bit key, 128-bit block)
  • Key derivation: PBKDF2 with 100,000 SHA-256 iterations
  • Initialisation vector: Randomly generated per encode, stored in the header
  • Salt: Randomly generated per encode, prepended to the ciphertext

Why JPEG Is Not Supported

JPEG uses lossy compression: when you save a JPEG, the encoder discards subtle pixel-level differences to reduce file size. This destroys the carefully embedded LSB data, making decoding impossible. Only lossless formats — PNG, BMP, and WebP (lossless) — preserve the exact pixel values that steganography requires.

Real-World Applications

  • Digital watermarking — embed copyright or ownership information invisibly inside images
  • Covert communication — send hidden messages through innocuous image files
  • CTF (Capture The Flag) challenges — steganography puzzles are a staple of cybersecurity competitions
  • Digital forensics education — understand how investigators detect hidden payloads
  • Privacy research — explore information hiding for academic study

Security Considerations

Basic LSB steganography without encryption offers security through obscurity only. Statistical tools (chi-square tests, histogram analysis) can detect the presence of embedded data in large image collections. For genuine security, always combine steganography with strong encryption using the password option. All processing runs locally in your browser — nothing is transmitted to any server.

⚠️ Legal Notice: Use steganography responsibly and in compliance with local laws. This tool is intended for education, research, privacy, and legitimate personal use only. Do not use it for illegal activities or to circumvent lawful interception.

Frequently Asked Questions

Is the Image Steganography free?

Yes, Image Steganography is totally free :)

Can I use the Image Steganography offline?

Yes, you can install the webapp as PWA.

Is it safe to use Image Steganography?

Yes, any data related to Image Steganography only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

How does this Image Steganography tool work?

The tool uses LSB (Least Significant Bit) steganography to hide text inside PNG, BMP, or WebP images entirely in your browser. During encoding, each bit of your secret message overwrites the least significant bit(s) of sequential pixel colour channels (R, G, B). The visual change is imperceptible to the human eye. Decoding reverses this process to extract the original message.

What is LSB steganography and why is it hard to detect?

LSB (Least Significant Bit) steganography modifies only the lowest-order bit of each colour value, changing a pixel's colour by at most 1 out of 255 levels — a change completely invisible to humans. At 1 LSB depth, a 1000×1000 pixel image can hide over 370 KB of text while appearing identical to the original.

Is my image or message sent to any server?

No. All processing happens entirely inside your browser using the HTML5 Canvas API and the Web Crypto API. Your image and secret message never leave your device.

What does the optional password do?

When you provide a password, the tool encrypts your message with AES-256-CBC before embedding it. The encryption key is derived from your password using PBKDF2, so even if someone extracts the hidden data they cannot read it without the correct password.

Why is JPEG not supported?

JPEG uses lossy compression, which alters pixel values during saving and destroys the carefully embedded LSB data. PNG, BMP, and WebP (lossless) preserve exact pixel values, making them the only reliable carriers for LSB steganography.

What is the maximum message size I can hide?

The capacity depends on image dimensions and LSB depth: capacity (bytes) = floor(width × height × 3 channels × lsbDepth / 8) − 25 header bytes. A 1920×1080 PNG at 1 LSB depth can hold roughly 777,571 characters. Higher LSB depths multiply capacity but risk faint visual artefacts.