Both hashing and encryption are essential security processes. They keep your data safe both online and offline and ensure that cybercriminals can’t monitor it, steal it, or tamper with it.
Telling the difference between the two can be really difficult. Just reading the Wikipedia pages for hashing and encryption won’t help — in fact, it will probably leave you more confused. And while there are many online articles discussing hashing and encryption, a lot of them are either hard to follow or just inaccurate.
Since I have tons of experience with both, I decided to put together this straightforward guide. I have been writing about cybersecurity topics for 6+ years and have often covered topics related to encryption or hashing (or both).
In this guide, I cover what both hashing and encryption are and how they work, and I also discuss real-life scenarios where both are used — for example, hashing is used by companies to securely store logins, whereas encryption is used by virtual private networks (VPNs) like ExpressVPN to protect your in-transit web data. Read on to find out more. Editors' Note: ExpressVPN and this site are in the same ownership group.
Hashing vs. Encryption: Quick Overview
What Is Encryption?
Encryption is a security process that uses an encryption algorithm and an encryption key to turn readable data into ciphertext (encrypted text). It essentially turns plain text data, like names, email addresses, passwords, or other sensitive information, into a string of random characters.
Encryption is a two-way process, meaning that encrypted data can be decrypted — but only by the intended recipient of the data, which has access to a decryption key. Encryption can be used to secure stored data and to protect in-transit data (like messages, online purchases, or general web browsing).
What Does Encrypted Data Look Like?
Let’s say you want to encrypt the following readable data: “thisismypassword.”
If you use an encryption algorithm to make the data unreadable, you’d get this:
“lFbAdj1jVWxLpSFG6DqSky/jJ3Nnn1h7dZiGd9Fwxvo=.”
What Is Hashing?
Hashing is a cryptographic security process that uses a hash function (also called a hash algorithm) to convert data to fixed-sized values. You could take plain text, like a password, and turn it into a hashed value, which is going to look like a random string of hexadecimal characters.
Hashing is a one-way process, which means you can’t directly reverse it. Due to that, hashing is normally used to verify the authenticity of stored data, and to ensure it hasn’t been altered. It’s also used to secure stored data — for example, a company might hash user passwords to ensure the logins stay safe even if the company suffers a data breach.
What Does Hashed Data Look Like?
Let’s say you have the following plain text: “1234password.”
If you use a hashing function to scramble it, you’d get the following hashing value:
“0b6571d043ac6b01fa45da96068045e07ff695b10b9c6157dab41a3392b65779a19662cc6e43f8abe528a4c933488c24df9a0940784b94ae22cd9b8cc1a75647.”
How Does Encryption Work?
Encryption uses an algorithm (a set of rules) to turn readable data into encrypted data. The algorithm relies on encryption and decryption keys — these are unique pieces of information that determine how the readable data is encrypted and decrypted.
There are 2 types of encryption methods that are widespread nowadays:
- Symmetric Encryption. This type of encryption relies on a symmetric encryption key, which means the same encryption key is used for both the encryption and the decryption process. The key is shared securely between the sender and the receiver to ensure safe access to the encrypted data.
- Asymmetric Encryption. In this case, two different encryption keys are used — a public encryption key and a private encryption key. The public key encrypts the data, while the private key decrypts it. With this type of encryption, only the private key needs to be shared and stored securely.
I have also seen some online sources mention hybrid encryption, which basically uses elements from both symmetric and asymmetric encryption. But hybrid encryption isn’t very popular, mostly because it’s really complicated to implement.
How Does Hashing Work?
Hashing uses a hash function, which is basically an algorithm, to scramble and link readable data (also called input data or keys) to hash values, which are fixed-sized strings of characters, numbers, and letters. Once data is hashed, there’s no way to reverse the process.
Hash functions are used alongside a hashing table. This is a data structure that is used to store, retrieve, and remove data input and hash value pairings. To keep it really simple, the hashing table is the thing that’s responsible for actually mapping data inputs to hash values. Basically, the hash function translates the input data into an index (also called a hash code), which is then added to the hashing table — afterwards, the index is linked to the hash value, which is also stored in the hashing table.
Due to the way hashing works, hash collisions can occur — this is basically when two or more data inputs are linked to the same hash value. Since malicious actors could exploit this vulnerability, most strong hashing functions are designed to be very collision-resistant (they minimize hash collisions as much as possible).
What Is Salting?
Salting is an extra step added to the hashing process, which is intended to enhance the uniqueness of the resulting hash values. This way, they are less susceptible to brute-force attacks, which are cyberattacks that use trial and error to crack encrypted content. Salting can be used when securing any type of content, but it’s mostly utilized when storing passwords.
Salting works really simply — a cryptographically secure function (basically, an algorithm) is used to automatically generate a value, which is called a “salt.” The value is then automatically added to the input data, basically the password. The value can be added either at the beginning or at the end of the password.
For example, let’s say we’re using “log1n” as input data, and “23DF$r” as the salt. After salting, the input data would look like this “23DF$rlog1n,” or like this “log1n23DF$r.” After that, the input data is hashed with a hash function, resulting in a more resilient hash value.
This process is handled by companies that secure and store sensitive data, so you won’t notice or have to take any extra steps on your end as a regular internet user. Ideally, a company would automatically implement salting whenever a user creates a new login and then hash and securely store that data.
Common Encryption Algorithms
There are tons of encryption algorithms in use. You might also see people referring to them as ciphers, which is basically an interchangeable term for “algorithm.” Note that each type of encryption (asymmetric and symmetric) uses different algorithms.
In the table below, I chose to only include algorithms that are widely adopted and have legitimate uses. In addition, I only included algorithms that are secure — I didn’t talk about algorithms that have been discontinued or proven unsecure, as they’re not relevant.
Editors' Note: ExpressVPN and this site are in the same ownership group.
Common Hashing Algorithms
As in the previous section, I’ve only included hashing algorithms that are widely used and also secure. So, for example, I won’t cover the Message Digest Algorithm (MD5) — while it’s well-known, it’s not secure since it has significant issues with hash collisions.
Here are the most common hash functions:
- Secure Hash Algorithms (SHA). This is a family of algorithms that has evolved over the years. The full list includes SHA-1, SHA-2, and SHA-3. SHA-1 is no longer considered secure since it’s very likely to create hash collisions, so SHA-2 is generally used instead as it’s more secure. SHA-3 provides better protection against certain cyber attacks than SHA-2, but it’s not so widely adopted because it’s much slower than SHA-2.
- BLAKE. Another cryptographic algorithm family, which consists of BLAKE, BLAKE2, and BLAKE3. All algorithms are very secure, and BLAKE2 is considered to be as secure as SHA-3. However, most BLAKE algorithms are faster than SHA-2 and SHA-3. Also, one of BLAKE2’s variants (BLAKE2s) is used by the WireGuard VPN protocol.
- RIPE Message Digest (RIPEMD). A family of hash functions that includes RIPEMD, RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320. Out of those, RIPEMD-160 is the most commonly used, especially in cryptocurrencies. RIPEMD and RIPEMD-128, however, are generally no longer used because they’re not considered secure — I only added them here because they’re part of the RIPEMD cipher family.
When Is Encryption Used?
Encryption is used in tons of scenarios, so I’m just going to highlight a few well-known ones:
- Messaging apps. Some messaging services use encryption to secure user messages. Some (like Signal) even use end-to-end encryption, which means that not even the messaging app can decrypt users’ messages.
- Online banking and purchases. Financial services and eCommerce platforms use encryption to make sure that nobody can monitor users’ transactions and payment data.
- Wi-Fi networks. All Wi-Fi networks come with the option to encrypt all network traffic. This prevents anyone from spying on the activities of people connected to a Wi-Fi network.
- VPNs. VPN services use encryption to protect their users’ web traffic, ensuring that third parties can’t monitor it. All top VPNs (like ExpressVPN and
Private Internet Access ) use the very secure AES algorithm, which is also used by military and financial institutions. - File storage. Many apps and even operating systems allow you to encrypt local files, so that nobody can access them if they use your device.
Editors' Note: Intego, Private Internet Access, CyberGhost and ExpressVPN are owned by Kape Technologies, our parent company
When Is Hashing Used?
Like encryption, hashing also has tons of use cases. So, I’ll only mention a few notable ones:
- Password storage. Hashing provides extra security when storing passwords, by storing hash values instead of the actual passwords — this way, a data breach can’t compromise the actual passwords. 1Password, for example, uses the SHA-256 algorithm to keep users’ passwords safe.
- File integrity verification. Hashing can be used while sharing and downloading files to ensure that nobody has tampered with the data being transferred.
- Cryptocurrencies. Many cryptocurrency systems use hashing to protect against Distributed-Denial-of-Service (DDoS) attacks and to also ensure that all data shared over the system is authentic and secure.
- Digital signatures. Hashing is used to secure digital signatures, generating a hash value when a signature occurs. The hash value then acts as a sort of digital fingerprint that’s unique to the document that was signed.
Frequently Asked Questions
What’s the main difference between hashing and encryption?
There are multiple differences, but really the main one (which is also the easiest to understand) is that encryption is reversible, whereas hashing is irreversible. So, any file that’s scrambled via hashing can’t be returned to its original, readable state. On the other hand, encryption makes data unreadable, but it can also make it readable again via the decryption process.
Is hashing better than encryption?
Neither is better than the other — both hashing and encryption are used to secure data, but each process has its own use cases. For example, encryption is used by messaging apps, Wi-Fi networks, and virtual private networks (VPNs) to protect in-transit web data, whereas hashing is used by companies to secure passwords and verify the integrity of transferred files.
Does hashing encrypt data?
No — hashing instead irreversibly transforms plaintext data into unreadable data. It achieves the same end result as encryption (making data unreadable), but it doesn’t actually encrypt anything. If it were to do that, it’d mean the data could also be decrypted to be made readable again.
Is encryption reversible?
Yes, encryption is a two-way process. It uses an encryption key to make data unreadable, and a decryption key to make it readable again. Hashing, on the other hand, is irreversible — you can’t turn data into plaintext once you’ve made it unreadable.