Hashing vs Encryption: What's the Difference and When to Use Each

Meta Description: Understand the key differences between hashing and encryption. Learn when to use each, common algorithms, and avoid the mistakes that lead to security breaches.

Target Keywords: hashing vs encryption, hash vs encrypt, difference between hashing and encryption

"Just hash the password before storing it."

"Just encrypt the sensitive data."

Both are common advice. But confuse them, and you'll either create a security vulnerability or build an impossible system.

Hashing and encryption sound similar. They both transform data. They're both "cryptographic." But they do fundamentally different things—and using the wrong one is one of the most common security mistakes developers make.

The Core Difference

Hashing is a one-way function. Data goes in, hash comes out. You cannot reverse it to get the original data.

Encryption is a two-way function. Data goes in with a key, encrypted data comes out. With the right key, you can reverse it and get the original data back.

That's it. One-way versus two-way. Everything else follows from this.

What is Hashing?

A hash function takes any input and produces a fixed-size output (the "hash" or "digest"):

Input: "Hello, World!"
SHA-256 Hash: dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f

Input: "Hello, World!!" (one extra character)
SHA-256 Hash: d6f644b19812e97b5d871658d6d3400ecd4787faeb9b8990c1e7608288664be7

Key properties:

• Deterministic: Same input always produces same output
• Fixed size: SHA-256 always outputs 256 bits, regardless of input size
• One-way: Cannot reverse the hash to get the original input
• Avalanche effect: Tiny input change completely changes the output
• Collision resistant: Extremely unlikely two inputs produce the same hash

What is Encryption?

Encryption takes input and a key, producing encrypted output (ciphertext). With the same key (symmetric) or related key (asymmetric), you can decrypt:

Plaintext: "Hello, World!"
Key: "my-secret-key-123"
AES-256 Encrypted: U2FsdGVkX1+vupppZksvRf4X8bqU0K1QmNO...

Using the same key:
Decrypted: "Hello, World!"

Key properties:

• Reversible: Original data can be recovered with the key
• Key-dependent: Different keys produce different ciphertext
• Variable output: Output size relates to input size
• Confidentiality: Only key holders can read the data

Side-by-Side Comparison

When to Use Hashing

1. Password Storage

Never store passwords in plain text. Never encrypt them (what key would you use?). Hash them.

import bcrypt

# Storing password
password = "user-password-123"
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
# Store 'hashed' in database

# Verifying password
user_input = "user-password-123"
if bcrypt.checkpw(user_input.encode(), hashed):
    print("Password correct!")

Why hashing works:

• You don't need to recover the original password—just verify matches
• If database is breached, attackers get hashes, not passwords
• One-way function prevents reversing to original password

2. File Integrity Verification

Verify downloads aren't corrupted or tampered with:

# Download Linux ISO
wget https://ubuntu.com/ubuntu-24.04.iso

# Verify hash matches published hash
sha256sum ubuntu-24.04.iso
# e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

# Compare with Ubuntu's published hash
# If they match → file is authentic

3. Digital Signatures

Sign data to prove authenticity:

1. Hash the document
2. Encrypt the hash with private key (signature)
3. Recipients decrypt with public key and compare hashes

4. Data Deduplication

Identify duplicate files without comparing entire contents:

def get_file_hash(filepath):
    hash = hashlib.sha256()
    with open(filepath, 'rb') as f:
        for chunk in iter(lambda: f.read(4096), b""):
            hash.update(chunk)
    return hash.hexdigest()

# Files with same hash are duplicates

When to Use Encryption

1. Data at Rest

Protect sensitive data stored in databases or files:

from cryptography.fernet import Fernet

# Generate key (store securely!)
key = Fernet.generate_key()
cipher = Fernet(key)

# Encrypt
sensitive_data = "SSN: 123-45-6789"
encrypted = cipher.encrypt(sensitive_data.encode())

# Decrypt when needed
decrypted = cipher.decrypt(encrypted).decode()

2. Data in Transit

HTTPS encrypts all data between browser and server:

Browser sends: "password=secret123"
Over the wire: 8a7f9c3e5b1d... (encrypted with TLS)
Server receives: "password=secret123" (decrypted)

3. End-to-End Messaging

Only sender and recipient can read messages:

Alice encrypts with Bob's public key
Bob decrypts with Bob's private key
No one in between can read the message

4. Database Field Encryption

Encrypt specific sensitive fields:

-- Encrypted
INSERT INTO users (email, ssn_encrypted) 
VALUES ('[email protected]', encrypt('123-45-6789', 'key'));

-- Decrypted when needed
SELECT decrypt(ssn_encrypted, 'key') FROM users;

Common Algorithms

Hash Algorithms

Encryption Algorithms

The Biggest Mistakes

Mistake 1: Encrypting Passwords

"I'll encrypt passwords so I can recover them if users forget."

Why it's wrong:

• What key do you use? If the key is in your code or database, attackers get it too.
• Password recovery should use reset flows, not decryption.
• Hash + reset email is the correct pattern.

Mistake 2: Using Fast Hashes for Passwords

"I'll just SHA-256 the password."

Why it's wrong:

• SHA-256 is too fast. Attackers can try billions per second.
• Use bcrypt, scrypt, or Argon2—designed to be slow.

Mistake 3: Hashing Data You Need to Recover

"I'll hash the credit card number for storage."

Why it's wrong:

• You need the card number to charge customers.
• Hashing is one-way—you can't recover it.
• Use encryption (and proper PCI compliance).

Mistake 4: Rolling Your Own Crypto

"I'll create a custom algorithm that's more secure."

Why it's wrong:

• Cryptography is hard. Experts still find bugs in standard algorithms.
• Your custom algorithm hasn't been tested by the security community.
• Use standard, audited libraries.

Quick Decision Guide

Need to store passwords? → Hash with bcrypt or Argon2

Need to verify file integrity? → Hash with SHA-256

Need to store sensitive data you'll read later? → Encrypt with AES-256

Need to send data securely over the network? → Use TLS (encryption)

Need to sign data to prove authenticity? → Hash, then encrypt hash with private key

Generate Hashes Now

Use our hash tools:

• MD5 Generator — Legacy hash (non-security uses only)
• SHA-256 Generator — Standard secure hash
• bcrypt Generator — Password hashing

FAQ

Can you decrypt a hash?

No. Hashing is mathematically one-way. You cannot reverse a hash to get the original input. "Hash decryption" services are actually lookup tables that check if your hash matches a known input.

If hashing is one-way, how do password systems verify passwords?

They hash the entered password and compare it to the stored hash. If the hashes match, the password is correct. The original password is never recovered or stored.

Is SHA-256 encryption?

No, SHA-256 is a hash function, not encryption. It's one-way with no key. You cannot recover the original input from a SHA-256 hash.

Can I encrypt with a hash and decrypt later?

No. That's not how hashing works. If you need to recover data, use encryption (AES-256, for example), not hashing.

What happens if I use the wrong one?

• Hash when you should encrypt: You lose the ability to recover original data.
• Encrypt when you should hash: Passwords become recoverable if attackers get the key.
• Both are serious security mistakes.

Related Tools:

• Hash Generator — Generate MD5, SHA-256, SHA-512 hashes
• bcrypt Generator — Secure password hashing
• File Hash Checker — Verify file integrity