Hashing vs encrypting vs encoding

Hashing, encrypting and encoding are often grouped together, but they solve different problems. Mixing them up leads to weak designs, especially when handling passwords, tokens, keys or personal data. This post is about the conceptual difference between the three, not the step by step of how to store a password.

The short version

Hashing creates a fixed length digest from input data. A secure cryptographic hash is designed to be one way. You can hash the same input again and compare the result, but you cannot turn the digest back into the original value.

Encryption protects data so it can be recovered later by someone with the right key. The original data is plaintext, the protected result is ciphertext, and decryption turns the ciphertext back into plaintext.

Encoding changes the representation of data so another system can carry or store it. It is not a security control. Anyone who knows the encoding can reverse it.

Hashing is for integrity and comparison

A hash is useful when you need to compare values without storing the original, or when you need to check that data has not changed. The same input always produces the same digest, and any change to the input produces a different one.

Common uses include file integrity checks, content addressing, digital signatures and password verification. The exact requirements differ by use case. A general purpose hash such as SHA-256 produces a fixed length 256-bit digest and is suitable for integrity checks, but it is not suitable by itself for password storage because it is fast. For passwords you need a purpose built, deliberately slow password hashing algorithm. That is its own topic.

Encryption is for confidentiality

Encryption is the right tool when authorised software must read the original value later. Examples include payment tokens, private notes, backups, session state and sensitive database fields.

Encryption depends on key management. If the key sits beside the ciphertext with the same access controls, the design has not provided useful protection. Treat encryption keys as secrets: restrict access to them, rotate them when needed and audit their use.

Use authenticated encryption where available. Authenticated encryption provides confidentiality and lets the recipient check integrity and authenticity, so tampering is detected rather than silently accepted. Without integrity protection, an attacker may be able to change ciphertext and influence the decrypted result.

Encoding is for transport and compatibility

Encoding makes data safe for a specific format or protocol. Base64 can represent binary data as text. URL encoding can put reserved characters into a URL component. HTML escaping can represent special characters safely in markup.

Encoding does not hide the value. A Base64 string may look unreadable, but it is not protected. It is only represented differently, and anyone can decode it.

The common mistakes

Do not call Base64 encryption. It provides no secrecy.

Do not encrypt passwords for normal login systems. If a password can be decrypted, a stolen key can expose every password at once. Store password verifiers with a slow password hashing algorithm instead.

Do not use a fast hash for passwords. Fast hashes help attackers test guesses quickly after a database leak.

Do not invent a custom cryptographic format. Use maintained libraries and standard algorithms. Cryptography fails easily when nonce handling, key length, authentication or error handling is wrong.

Choosing the right tool

Use hashing when the original value should not be recovered and you only need verification or integrity.

Use encryption when authorised code must recover the original value later.

Use encoding when data must fit a transport or storage format and no secrecy is required.

The choice is not about what looks scrambled. It is about whether the operation is one way, key protected, or just a different representation.

Conclusion

Hashing, encryption and encoding are separate tools. Hashing verifies without recovery. Encryption protects data that must be recovered. Encoding makes data fit another format. Treating encoding as security, or using ordinary encryption where password hashing is required, creates avoidable risk.