ROT13 Encoder / Decoder

What ROT13 Is and Where It's Used

ROT13 ("rotate by 13") is a Caesar cipher with a fixed shift of 13 positions. Each letter A–Z is replaced with the letter 13 places later in the alphabet, wrapping at the end: A becomes N, B becomes O, …, M becomes Z, N becomes A, and so on. Lowercase letters do the same thing. Digits, punctuation, whitespace, and any non-letter characters pass through unchanged.

The cipher's defining feature is that it is its own inverse. Apply it once: HELLO becomes URYYB. Apply it again: URYYB becomes HELLO. This is because 13 + 13 = 26, the size of the alphabet — so two rotations bring every letter back to where it started. There is exactly one tool for both encoding and decoding, which is why it became the standard "spoiler obfuscation" on Usenet in the 1980s and 1990s.

What ROT13 Is Not

ROT13 is not encryption. It provides zero security against any adversary aware that ROT13 has been applied — and detecting ROT13 is trivial because the letter-frequency distribution is identical to the original (just shifted). The point of ROT13 isn't secrecy; it's polite obfuscation. The reader has to actively choose to decode, which gives them the option to skip a spoiler, a punchline, or NSFW content. It's a UX convention, not a security measure.

For anything that actually needs to stay private, use modern authenticated encryption: AES-256-GCM for symmetric keys, X25519 + ChaCha20-Poly1305 for public-key, or libraries that bundle these correctly (libsodium, age, AWS KMS). Never use ROT13, Caesar ciphers, or any classical cipher in production code.

ROT13 vs ROT47

ROT13 rotates only the 26 English letters. The other 95+ printable characters pass through untouched. This makes the result safe in URLs, filenames, JSON strings, and most other contexts — anywhere the input was already safe. The downside: digits and punctuation are visible in the output, so phone numbers, email addresses, and code snippets are still partially readable.

ROT47 rotates 94 printable ASCII characters (codepoints 33 to 126), which includes all letters, digits, and most punctuation. The shift is 47, and 94/2 = 47, so ROT47 is also self-inverse. The result obscures more of the input — a phone number becomes gibberish — at the cost of producing characters like /, ?, &, and % that may need URL-encoding before transmission.

How to Implement ROT13 in Code

// JavaScript
const rot13 = s => s.replace(/[A-Za-z]/g, c => {
  const a = c <= 'Z' ? 65 : 97;
  return String.fromCharCode((c.charCodeAt(0) - a + 13) % 26 + a);
});

# Python
import codecs
codecs.encode("Hello", "rot13")  // built-in!

// Bash
echo "Hello" | tr 'A-Za-z' 'N-ZA-Mn-za-m'

// Vim — visual select then press
g?

For ROT47, replace the alphabet test with c >= 33 && c <= 126 and use modulo 94 with offset 33.

Common Use Cases Today

• Spoiler tags on forums and social media that don't have native spoiler markup.
• Puzzle answers in crossword/sudoku columns and ARG (alternate-reality game) puzzles.
• Email signatures and Reddit comments where you want a punchline visible only to readers willing to decode.
• Geocache hints — geocaching.com uses ROT13 for encrypted hints by long-standing convention.
• Teaching tool for introducing classical cryptography, frequency analysis, and the difference between obfuscation and encryption.

Need stronger obfuscation? Base64 hides the readable form (still not encryption, but harder to skim). For real privacy, encrypt with a proper key derivation function — see our Hash Generator for one-way hashing of passwords or message integrity checks.