Hashing vs Encryption
Hashing and encryption are both used to protect data, but they serve fundamentally different purposes and are often confused. Understanding the distinction is critical for building secure systems.
What is Hashing?
Hashing transforms input data into a fixed-length string using a one-way mathematical function. Once data is hashed, it cannot be reversed to obtain the original input.
The same input will always produce the same hash, but even a small change in input results in a completely different output (known as the avalanche effect).
Common Hashing Algorithms
- SHA-256 – General-purpose cryptographic hash
- bcrypt – Password hashing with built-in salting
- Argon2 – Modern, memory-hard password hashing
Real-World Hashing Examples
Example 1: Password Storage
When a user creates a password, the system stores only the hash of the password, not the password itself. During login, the entered password is hashed again and compared with the stored hash.
Even if a database is compromised, attackers cannot recover original passwords.
Example 2: File Integrity Verification
When downloading software, a published SHA-256 hash allows users to verify that the file has not been modified or tampered with.
Key Properties of Hashing
- One-way (irreversible)
- No key required
- Deterministic output
- Collision-resistant
What is Encryption?
Encryption converts data into an unreadable format using a key, but unlike hashing, encryption is reversible.
Authorized parties can decrypt the data using the correct key and recover the original information.
Types of Encryption
- Symmetric encryption (AES) – Same key for encrypt/decrypt
- Asymmetric encryption (RSA, ECC) – Public/private key pair
Real-World Encryption Examples
Example 1: HTTPS (TLS)
Data sent between a browser and a server is encrypted using TLS so that attackers cannot read sensitive information like passwords or tokens.
Example 2: Encrypted Databases
Sensitive fields such as credit card numbers are encrypted in databases so that only authorized services can decrypt and read them.
Key Properties of Encryption
- Reversible with a key
- Protects confidentiality
- Key management is critical
Hashing vs Encryption – Key Differences
| Aspect | Hashing | Encryption |
|---|---|---|
| Reversible | No | Yes |
| Key Required | No | Yes |
| Main Purpose | Verification & integrity | Confidentiality |
| Common Use | Passwords, checksums | Secure data storage & transfer |
Secure Implementation Examples (Java, Python, C/C++)
Below are secure, production-grade examples showing how hashing and encryption are implemented correctly in real systems.
Password Hashing (Recommended)
Python – bcrypt (Secure for passwords)
import bcrypt
password = b"StrongPassword@123"
hashed = bcrypt.hashpw(password, bcrypt.gensalt())
if bcrypt.checkpw(password, hashed):
print("Password is valid")
bcrypt automatically handles salting and is intentionally slow to resist brute-force attacks.
Java – bcrypt (Spring-compatible)
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String hash = encoder.encode("StrongPassword@123");
boolean valid = encoder.matches("StrongPassword@123", hash);
Java applications commonly use bcrypt through Spring Security.
C/C++ – SHA-256 (Integrity only, NOT passwords)
SHA256((unsigned char*)data, strlen(data), hash);
SHA-256 is suitable for file integrity checks, but never for passwords.
Encryption (When Data Must Be Recovered)
Python – AES-GCM (Authenticated Encryption)
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
key = AESGCM.generate_key(bit_length=256)
aesgcm = AESGCM(key)
encrypted = aesgcm.encrypt(nonce, data, None)
AES-GCM provides confidentiality and tamper detection.
Java – AES-GCM
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, key, spec);
Avoid older modes like ECB. Always use authenticated encryption.
C/C++ – AES via OpenSSL
EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, key, iv);
Keys must be stored securely (KMS, Vault) and never hardcoded.
Why Passwords Should Be Hashed, Not Encrypted
Passwords should never be decrypted by the system. The system only needs to verify that the password is correct, not recover the original value.
If passwords were encrypted instead of hashed, anyone with access to the encryption key could retrieve all user passwords.
Salting and Its Importance
Salting adds a unique random value to each password before hashing, preventing rainbow table and precomputed hash attacks.
Common Mistakes Developers Make
- Encrypting passwords instead of hashing
- Using MD5 or SHA-1
- Hardcoding encryption keys
- Using AES-ECB mode
Best Practices
- Use bcrypt or Argon2 for passwords
- Use AES-GCM for encryption
- Store keys in KMS or Vault
- Rotate keys regularly
- Use HTTPS everywhere
Summary
Hashing is for verification where data must never be recovered. Encryption is for confidentiality where data must be retrieved later.
Choosing the wrong approach leads to serious security vulnerabilities.