🔐 Crypto & Encoding
Encoding vs Encryption vs Hashing: What's the Difference?
By Justin Le
· 6 min read · Updated June 27, 2026 Encoding, encryption and hashing are constantly confused — and mixing them up causes real security mistakes, like "encrypting" a password with Base64 (which protects nothing). They solve completely different problems. Here's the clear distinction.
The one-table summary
| Technique | Reversible? | Uses a key? | Purpose |
|---|---|---|---|
| Encoding | Yes (anyone) | No | Format / transport data |
| Encryption | Yes (with key) | Yes | Confidentiality |
| Hashing | No | No* | Integrity / fingerprint |
* HMAC adds a key to hashing for authentication, but the hash itself is still one-way.
Encoding: making data portable
Encoding transforms data into a different format so it can be safely stored or transmitted — nothing more. It is not a security measure: anyone can reverse it, no key required. Base64 and URL encoding are the classic examples. Encode data when a channel needs a specific format (text-safe bytes, URL-safe characters), never to hide it.
Encryption: keeping secrets
Encryption scrambles data so that only someone with the right key can read it. It's reversible by design — that's the point, since you need to recover the original. There are two families: symmetric (one shared key, e.g. AES) and asymmetric (a public/private key pair, e.g. RSA). Use encryption for confidentiality: protecting data in transit (HTTPS) or at rest (encrypted disks, databases).
Hashing: fingerprinting data
Hashing runs data through a one-way function to produce a fixed-size fingerprint. It's not reversible — there's no "unhash" — and needs no key. Use hashing to verify integrity (did this file change?) and to store passwords (with a slow, salted algorithm). The same input always gives the same hash, but you can't get the input back from the hash.
The mistakes that come from confusing them
- "I Base64-encoded the password, so it's safe." No — encoding is reversible by anyone. The password is effectively plain text.
- "I hashed the credit-card number so I can show it later." No — hashing is one-way; you can't recover it. You wanted encryption.
- "I'll store passwords encrypted." Risky — if the key leaks, every password is exposed. Passwords should be hashed (bcrypt/Argon2), not encrypted.
How to choose
- Need to format data for transport? → Encoding.
- Need to keep data secret but recover it later? → Encryption.
- Need to verify data or store passwords? → Hashing.
- Need to prove a message's integrity and sender? → HMAC (keyed hashing).
Try the tools
See each idea in action: encode with the Base64 converter, fingerprint with the hash generator, authenticate with the HMAC generator, and store passwords properly with the bcrypt tool.
Frequently asked questions
Is Base64 encoding the same as encryption?
No. Base64 is encoding — reversible by anyone, with no key. It provides zero confidentiality. Encryption requires a key to reverse and is what you use to keep data secret.
What's the difference between encryption and hashing?
Encryption is reversible with a key and is used to keep data confidential. Hashing is one-way and keyless, used to verify integrity or store passwords. You can decrypt; you cannot 'unhash'.
Should passwords be encrypted or hashed?
Hashed — with a slow, salted algorithm like bcrypt or Argon2. Encrypting passwords is risky because anyone who steals the key gets every password. Hashing has no key to steal.
Try the related tools
- Base64 Encode / Decode Convert text to Base64 and back, with full Unicode (UTF-8) support.
- Hash Generator (MD5, SHA-1, SHA-256, SHA-512) Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 digests from any text.
- HMAC Generator (SHA-1, SHA-256, SHA-512) Compute an HMAC from a message and secret key using SHA-1/256/384/512, as hex or Base64.
Related guides
- What Is Base64 Encoding? (And Why It's Not Encryption) Base64 turns binary data into safe text — but it is not encryption. Here's how it works, why it grows your data by a third, and when to reach for it.
- What Is a Hash Function? What a hash function actually does, the properties that make it useful, and the difference between a cryptographic hash and a hash for storing passwords.
- What Is a JWT and How Does It Work? How JSON Web Tokens really work — the header, payload and signature, what signing proves, and the security mistakes that bite teams.