Vigenère Solver

Paste Vigenère ciphertext and recover the keyword and the original message without knowing the key. The solver finds the key length from the Index of Coincidence, confirms it with Kasiski examination, breaks each column as a Caesar cipher, and picks the decryption that reads most like English. Everything runs in your browser.

Try a sample:

Vigenère ciphertext

Paste Vigenère ciphertext above and the recovered key, the decrypted message and the key-length analysis will appear here. The more text you give it, the more reliable the answer.

How to use Vigenère Solver

1
Paste the ciphertext
Copy the Vigenère-encrypted text and paste it into the box. A paragraph or more gives the best results; letters are read without regard to case, and spaces, digits and punctuation are ignored while solving.
2
Read the recovered key
The solver shows the most likely keyword at the top. Copy it with one click — you can paste it into the Vigenère Cipher tool to verify it decrypts the same message.
3
Read the decrypted message
Below the key, the full plaintext appears with its original capitalisation, spacing and punctuation restored. Copy it to keep the result.
4
Check the key-length evidence
The Index of Coincidence chart and the Kasiski panel show why that key length was chosen. If a result looks off, click a different length in the chart to force the solve, or widen the maximum key length.

5
Share or clear
Copy a shareable link that reopens the tool with your exact ciphertext — the text rides in the part of the URL after the hash, which never reaches a server. Clear resets everything.

Cracking the Vigenère cipher, explained

What this tool does

The Vigenère cipher hides a message by shifting each letter by a different amount, following a repeating keyword. For three centuries that simple idea earned it the nickname le chiffre indéchiffrable — the indecipherable cipher — because the usual trick of counting letter frequencies fails against it. This tool breaks it anyway, automatically, without you supplying the key. Paste the ciphertext and it returns the most likely keyword and the decrypted message.

It works the way a human cryptanalyst does, only faster: it figures out how long the key is, splits the message into that many separate Caesar ciphers, solves each one, and then checks that the result actually reads like English. No key, no guessing, and nothing leaves your browser — the whole attack runs on your own machine.

Why the Vigenère cipher can be broken

A keyword of length L enciphers every L-th letter with the same shift. So if you take the 1st, the (L+1)-th, the (2L+1)-th letters and so on, every letter in that group was shifted by the same amount — they form an ordinary Caesar cipher. The same is true for each of the L starting positions. A Vigenère cipher is therefore not one hard problem but L easy ones stacked together, and the only thing standing between you and the plaintext is discovering L.

Once the key length is known, each column keeps the lopsided letter frequencies of English, just relabelled by a single shift. That is exactly the situation classical frequency analysis was built for. The entire art of breaking Vigenère, then, comes down to one question: how long is the key?

Finding the key length with the Index of Coincidence

The Index of Coincidence measures how likely two letters picked at random from a text are to be the same. Ordinary English sits around 0.066 because its letters are so unevenly used; perfectly random text sits near 0.038. When you split the ciphertext into the correct number of columns, each column is monoalphabetic and its Index of Coincidence springs back up toward the English value. Split it into the wrong number, and the columns stay a flat, random-looking 0.038.

The tool tries every key length from one up to your chosen maximum, measures the average column Index of Coincidence for each, and draws the result as a bar chart. The true length stands out as a tall bar — and so do its multiples, because a length of ten also makes every group of five line up. That multiples ambiguity is why the tool does not simply trust the tallest bar, as the next sections explain.

Kasiski examination

There is a second, older way to find the key length, discovered by Friedrich Kasiski in 1863. When a common word like THE lines up with the same part of the keyword twice, it encrypts to the same ciphertext sequence both times. The distance between two such repeats must be a whole number of key lengths — so the key length divides that distance. Find several repeated sequences, measure the gaps, and the key length hides among the common factors of those gaps.

The tool scans the ciphertext for repeated three-letter sequences, collects the gaps between them, and counts how many gaps each candidate factor divides. The factors with the most support are the most likely key lengths. This is shown as a separate panel of evidence, independent of the Index of Coincidence, so that two different techniques can agree on the answer.

Solving each column and reading off the keyword

With the key length fixed, every column is a Caesar cipher, and Caesar ciphers fall instantly. For each column the solver tries all twenty-six shifts and keeps the one whose decoded letters best match the expected frequencies of English, measured by a chi-squared test. The winning shift for a column is one letter of the keyword: a shift of eleven is L, a shift of four is E, and so on. Read the winning shifts in order and the keyword spells itself out.

Decrypting the whole message with that recovered keyword gives back the plaintext, with the original capitalisation, spacing and punctuation put back exactly where they were. If the recovered key happens to be a repetition — say LEMONLEMON when the real key was LEMON — the tool collapses it to its shortest period, so you always see the true, minimal keyword.

Solve first, then verify — why bigrams matter

A naïve solver picks the key length from the Index of Coincidence and stops. That goes wrong in two common cases: a repetitive message can distort the statistics, and a true length is easily confused with its divisors. This tool avoids the trap by solving at every candidate length and then judging the results by how much each decryption actually reads like English — solve first, verify second.

The judge is not single-letter frequency, which is surprisingly easy to fool: a slightly wrong key can produce garbled text that happens to have a plausible letter mix. Instead the tool scores each decryption by its bigrams — the likelihood of every adjacent letter pair, learned from a large body of English. Real English is rich in pairs like TH, HE and ER and almost never contains QJ or ZX, so a single wrong key letter injects impossible pairs and sinks the score. The decryption with the best bigram fitness wins, and ties go to the shorter key, which is why a plain Caesar cipher correctly resolves to a one-letter key.

How much text you need, and when it struggles

Because each column is solved by frequency analysis, what matters is how many letters land in each column — that is, the total length divided by the key length. With roughly forty or more letters per column the recovery is usually exact, key and plaintext both. A paragraph of two hundred letters easily cracks a short key; a longer key of a dozen letters wants several hundred letters of ciphertext to be sure.

When the ciphertext is short relative to the key, the columns get thin and the per-column frequency counts grow noisy. The solver still returns its best effort — often a near-miss that is one or two key letters off but still readable — rather than nothing. If a result looks almost right, the usual fix is simply more ciphertext, or nudging the key length by hand using the chart. The cipher only resists when there genuinely is not enough text to measure.

Frequently asked questions

Can you really break a Vigenère cipher without the key?

Yes. A repeating-key Vigenère cipher is several Caesar ciphers interleaved, and Caesar ciphers fall to frequency analysis. The solver works out the key length, splits the message into that many columns, breaks each one, and reads the keyword off the results — all without you knowing the key in advance.

How does the solver find the key length?

Two ways at once. It measures the average Index of Coincidence for every candidate length — the right length and its multiples score near 0.066, like English, while wrong lengths look random near 0.038 — and it runs a Kasiski examination, factoring the gaps between repeated sequences. The length both methods agree on is almost always correct.

What is the Index of Coincidence?

It is the probability that two letters drawn at random from a text are the same. English is about 0.066 because its letters are used unevenly; random text is about 0.038. When the ciphertext is split into the correct number of columns, each column looks like English again, which is how the tool spots the key length.

What is Kasiski examination?

A method published by Friedrich Kasiski in 1863. When a repeated word lines up with the same part of the key, it encrypts identically, and the distance between those repeats is a multiple of the key length. By collecting such gaps and looking at their common factors, you recover candidate key lengths independently of the frequency statistics.

Why might the recovered key be slightly wrong?

Each column is solved by frequency analysis, which needs enough letters to be reliable. If the ciphertext is short relative to the key length, some columns have too few letters and a key letter or two can be off. The plaintext is usually still readable; the fix is more ciphertext, or nudging the key length by hand in the chart.

How much ciphertext do I need?

Aim for at least forty letters per column — that is the total length divided by the key length. A short key cracks easily from a single paragraph, while a long key of a dozen letters wants several hundred letters of ciphertext for an exact recovery. More text is always better.

Why does the tool check bigrams instead of just letter frequencies?

Single-letter frequency can be fooled — a slightly wrong key sometimes yields garble with a plausible letter mix. Bigram fitness scores every adjacent letter pair against real English, where TH and HE are common and QJ or ZX practically never occur. A wrong key injects impossible pairs and scores badly, so the genuinely English decryption wins.

Can I force a particular key length?

Yes. Click any bar in the key-length chart to solve at that exact length, and press Auto to return to automatic detection. You can also raise the maximum key length the tool searches if you suspect a long key. This is handy when you already know or can guess the length.

Does it work on Beaufort, Gronsfeld or other polyalphabetic ciphers?

This solver targets the standard repeating-key Vigenère cipher. Close relatives like Gronsfeld (a numeric Vigenère) often partially yield, but Beaufort and autokey variants use different arithmetic and may not. If you are unsure which cipher you have, run the Cipher Identifier first, then use the matching tool.

Is my ciphertext sent to a server?

No. The entire attack runs in your browser, so your text is never uploaded, logged or stored. Even the share link keeps your ciphertext in the part of the URL after the hash, which browsers never transmit to a server, so it stays private unless you choose to share it.

How is this different from the Vigenère Cipher tool?

The Vigenère Cipher tool encodes and decodes when you already know the key. This solver is for when you do not: it recovers the key and the plaintext from ciphertext alone. Use the solver to break a message, then the cipher tool to confirm the key encrypts it back exactly.

Related tools

Keep going with these handy tools

Unix Timestamp Converter

JSON to CSV Converter

CSV to JSON Converter

JSON to YAML Converter

Text to Binary Converter

Text to Hex Converter