Hash vs Encryption: Stop Confusing Them

Hashing and encryption are constantly mixed up — even in security-related job interviews. The mistake leads to real bugs.

Hashing

Input → fixed-length output. Same input always produces the same output. The function cannot be reversed.

SHA-256("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Properties: deterministic, one-way, fixed output size, collision-resistant.

Uses: file integrity (does the download match?), data deduplication, password storage (with bcrypt/Argon2, not raw SHA-256), git commit IDs.

Encryption

Input + key → ciphertext. With the right key, ciphertext → original input.

encrypt("hello", key) = "kT7d..."  (different output for same input due to IV)

decrypt("kT7d...", key) = "hello"

Symmetric: same key for encrypt and decrypt (AES-GCM).

Asymmetric: public key encrypts, private key decrypts (RSA, ECDSA).

Uses: protecting data in transit (TLS), at rest (disk encryption), and for delivery (PGP).

When to Use Each

GoalTool

|------|------|

Store passwordsArgon2 / bcrypt (a slow hash) Verify file downloadSHA-256 hash Encrypt secrets in DBAES-GCM with KMS-managed key Sign API requestsHMAC (a keyed hash) or asymmetric signature Send data privatelyTLS in transit, AES at rest

Common Confusions

• "Encrypted password" usually means hashed; storing reversible passwords is a vulnerability.
• "Hashed and salted" applies to passwords specifically — salt prevents rainbow table attacks.
• HMAC is technically a keyed hash, used for message authentication, not encryption.
• Encoding (Base64, hex) is not encryption; it is reversible without a key.

Algorithm Choices in 2026

• General hash: SHA-256 or SHA-3
• Password hash: Argon2id
• Symmetric: AES-256-GCM
• Asymmetric: Ed25519 for signatures, X25519 for key exchange
• HMAC: HMAC-SHA-256

For password hashing details see [bcrypt vs Argon2](https://sdk.is/blog/bcrypt-vs-argon2-passwords).