Hashing vs Encryption: What's the Difference?

The core difference: direction

The most fundamental difference between hashing and encryption comes down to one sentence: hashing is one-way, encryption is two-way.

The purpose of encryption is confidentiality, so it must be able to recover the original—encrypt data today, and tomorrow you must be able to decrypt it with the right key, otherwise the data is gone forever. The purpose of hashing isn't confidentiality but verification; it is deliberately designed to be "computable forward, unrecoverable backward," and there is simply no such thing as "un-hashing."

Keep this directionality in mind and all the other differences follow naturally.

Hashing: a one-way fingerprint

A hash function compresses an input of any length into a fixed-length output, deliberately discarding information along the way, so it cannot be restored. Its key properties are:

• Irreversible: given a hash value, you cannot work back to the original input.
• Fixed length: no matter how large the input, SHA-256 always outputs 64 characters.
• Deterministic: the same input always yields the same output, so it can be used for comparison.
• No key: anyone computes the same hash for the same data; no secret key is needed or used.

Because it's both irreversible and deterministic, hashing suits situations where "you only want to confirm whether something is the same, without needing to see the original"—for example, verifying passwords or checking file integrity. To dive deeper into hashing itself, read What Is a Hash Function.

Encryption: reversible confidentiality

Encryption turns readable plaintext into unreadable ciphertext via an algorithm and a key, and later turns it back into plaintext with the key. Its key properties are:

• Reversible: with the correct key you can decrypt and recover the original; this is the whole point of encryption.
• Requires a key: security rests on keeping the key secret, while the algorithm itself is usually public.
• Length varies with content: ciphertext length roughly tracks the length of the plaintext, unlike the fixed length of a hash.

Encryption falls into two categories:

• Symmetric encryption (such as AES): uses the same key for encryption and decryption, is fast, and suits encrypting large amounts of data.
• Asymmetric encryption (such as RSA): uses a pair of public and private keys—the public key encrypts and the private key decrypts—commonly used for key exchange and digital signatures.

The difference at a glance

Common confusion and misuse

"Store passwords encrypted"

This phrase is almost always a misuse. Storing passwords should use hashing (and specifically a password-purpose hash like bcrypt or Argon2), not encryption. The reason is simple: storing passwords with encryption means the system holds a key that can decrypt passwords back to plaintext, and once that key leaks, every password is exposed. With hashing there's simply no path "back to plaintext"—at login you just compare hashes. See Hash Algorithm Security Comparison.

"Hashing is a kind of encryption"

It isn't. Encryption can be decrypted, hashing cannot, and their purposes differ too. Calling hashing "encryption" is the most common terminology mistake, and it leads to real security misjudgments in communication and design.

"Base64 is encryption"

Even less so. Base64 is encoding—no key, no confidentiality, anyone can restore it directly. It's purely a different way of representing data. See the note at the end.

When to use which?

Judge by a simple principle: will you need to get the original data back later?

• You don't need the original back, only to confirm consistency or integrity: use hashing:
  • Storing and verifying passwords (use bcrypt / Argon2).
  • Verifying the integrity of downloaded files (use SHA-256; see File Integrity Verification).
  • Detecting whether data has been tampered with.
• You'll need to restore it to the original later: use encryption:
  • Sending private messages, protecting data in transit (HTTPS is encryption underneath).
  • Encrypting drives, or confidential database fields you need to read back later (such as credit card numbers).

Sometimes the two are used together. A digital signature, for example, first hashes the content and then encrypts that hash with a private key—the hash handles compression and tamper detection, while encryption proves the signer's identity.

By the way: encoding is not encryption

There's a third concept easily confused with the previous two: encoding, such as Base64 or URL encoding. Encoding merely converts data into another representation for convenient transmission or storage; it has no key, provides no confidentiality, and anyone can decode it straight back to the original. Putting all three side by side:

• Encoding: change appearance, no confidentiality, anyone can restore it.
• Hashing: compute a fingerprint, cannot be restored.
• Encryption: confidentiality, restorable only with the key.

To experience the "irreversible, deterministic" nature of hashing firsthand, open the tool and enter any text—watch how the same input always produces the same result, while a tiny change makes the output completely different.