Side-by-Side Comparison
| Aspect | Hashing | Encryption | Encoding |
|---|---|---|---|
| Reversible? | No (one-way) | Yes (with the key) | Yes (no key needed) |
| Purpose | Integrity, verification | Confidentiality | Data format compatibility |
| Needs a key? | No (may use a salt) | Yes | No |
| Output size | Fixed length | Varies with input | Varies with input |
| Example | SHA-256, bcrypt | AES, RSA | Base64, URL encoding |
| Typical use | Password storage, checksums, digital signatures | Protecting data in transit/at rest | Embedding binary data in text (emails, URLs, JSON) |
Hashing: One-Way, Fixed-Size, Irreversible
A tiny change to the input produces a completely different output (the "avalanche effect"), and there is no operation that takes the hash output and recovers "password123". This is exactly why hashing fits password storage: the server only ever needs to check "does hashing this login attempt match the stored hash?" — it never needs to know the real password.
⚠️ Don't Use Fast Hashes for Passwords
SHA-256 and MD5 are built to be fast — great for checksums, terrible for passwords, because attackers can brute-force billions of guesses per second on a GPU. Use bcrypt, scrypt, or Argon2 instead — they are deliberately slow and tunable, making brute-forcing computationally expensive even at scale.
Encryption: Two-Way, Needs a Key
Encryption transforms data so it's unreadable without the correct key, but it's designed to be reversed by whoever holds that key:
This is used whenever the original data needs to be recovered later — encrypting a database column, securing data in transit over HTTPS, or protecting files at rest. Symmetric encryption (AES) uses one shared key for both directions; asymmetric encryption (RSA) uses a public/private key pair.
Encoding: Just a Different Format, No Security
Base64 encoding exists to safely represent binary data as plain text — for example, embedding an image inside a JSON payload or a URL. It provides zero confidentiality: anyone can decode it instantly with a standard library, no key required. Encoding answers "how do I represent this data safely in a different format?" — not "how do I keep this secret?"
The Classic Mistake: Encrypting Passwords
If passwords are encrypted rather than hashed, anyone who steals the encryption key (a misconfigured server, a leaked environment variable, an insider) can decrypt and read every user's actual password in plaintext. If passwords are properly hashed with a strong algorithm and a unique salt per user, a database breach alone does not hand attackers usable passwords — they'd need to crack each hash individually, which a slow algorithm like bcrypt makes expensive.
Hashing in Data Structures (a Different Use)
Hash functions also power hash tables (dictionaries/maps), where speed and even key distribution matter far more than cryptographic security. A hash table's hash function converts a key into an array index for near O(1) lookups — collisions are handled with chaining or open addressing, not treated as a security failure the way they would be for a cryptographic hash.
💡 Quick Mental Test
Ask: "Do I ever need to get the original value back?" If no — hash it. If yes, and it must stay secret — encrypt it. If yes, and secrecy doesn't matter, just needs a safe format — encode it.
How We Research and Update This Guide
We test the underlying formula or workflow, compare outputs with reliable references, and revise examples whenever the page content changes.
- The workflow or formula is tested directly in the tool and compared against independent reference examples.
- Examples are kept practical so readers can verify the result without hidden assumptions.
- Pages are revised whenever the interface, calculation flow, or surrounding guidance materially changes.
Frequently Asked Questions — Hashing vs Encryption vs Encoding
Hashing is a one-way transformation that produces a fixed-size output and cannot be reversed back to the original input — used to verify data integrity or store passwords. Encryption is a two-way transformation that can be reversed with the correct key — used to protect confidentiality of data that needs to be read again later. Encoding is a reversible transformation with no security purpose at all — used to represent data in a different format (like Base64) so it can travel safely through systems that expect text.
Passwords are hashed because the application never needs to see the original password again — it only needs to verify that a login attempt matches. Hashing is one-way, so even if the database is breached, attackers cannot directly recover the original passwords (assuming a strong, salted hash). If passwords were encrypted instead, anyone who obtained the encryption key could decrypt and read every user's actual password — a much bigger risk.
One-way means there is no mathematical operation that takes a hash output and reliably reconstructs the original input. You can verify a guess by hashing it again and comparing outputs, but you cannot algorithmically invert the hash function itself. This is what makes hashing suitable for password storage — verification doesn't require ever knowing the original value.
SHA-256 is a general-purpose cryptographic hash function designed to be extremely fast — which is exactly the wrong property for password hashing, because it lets attackers try billions of guesses per second using GPUs. Password-specific hash functions like bcrypt, scrypt, and Argon2 are deliberately slow and configurable (via a "cost factor"), making brute-force attacks computationally expensive even with modern hardware.
A collision is when two different inputs produce the same hash output. Since hash functions map an infinite input space to a fixed-size output space, collisions are mathematically inevitable — the goal of a good cryptographic hash function is making them computationally infeasible to find on purpose, not impossible in theory. MD5 and SHA-1 are considered broken because practical collision attacks have been demonstrated against them.
A hash table uses a hash function to convert a key (like a string) into an array index, allowing near O(1) average-case lookup, insertion, and deletion. This is a completely different use of "hashing" than cryptographic hashing — hash table hash functions prioritise speed and even distribution, not security or collision resistance against a determined attacker.