ToolSec

🔐 Crypto & Encoding

Encoding vs Encryption vs Hashing: What's the Difference?

· 6 min read · Updated June 27, 2026

Encoding, encryption and hashing are constantly confused — and mixing them up causes real security mistakes, like "encrypting" a password with Base64 (which protects nothing). They solve completely different problems. Here's the clear distinction.

The one-table summary

TechniqueReversible?Uses a key?Purpose
EncodingYes (anyone)NoFormat / transport data
EncryptionYes (with key)YesConfidentiality
HashingNoNo*Integrity / fingerprint

* HMAC adds a key to hashing for authentication, but the hash itself is still one-way.

Encoding: making data portable

Encoding transforms data into a different format so it can be safely stored or transmitted — nothing more. It is not a security measure: anyone can reverse it, no key required. Base64 and URL encoding are the classic examples. Encode data when a channel needs a specific format (text-safe bytes, URL-safe characters), never to hide it.

Encryption: keeping secrets

Encryption scrambles data so that only someone with the right key can read it. It's reversible by design — that's the point, since you need to recover the original. There are two families: symmetric (one shared key, e.g. AES) and asymmetric (a public/private key pair, e.g. RSA). Use encryption for confidentiality: protecting data in transit (HTTPS) or at rest (encrypted disks, databases).

Hashing: fingerprinting data

Hashing runs data through a one-way function to produce a fixed-size fingerprint. It's not reversible — there's no "unhash" — and needs no key. Use hashing to verify integrity (did this file change?) and to store passwords (with a slow, salted algorithm). The same input always gives the same hash, but you can't get the input back from the hash.

The mistakes that come from confusing them

  • "I Base64-encoded the password, so it's safe." No — encoding is reversible by anyone. The password is effectively plain text.
  • "I hashed the credit-card number so I can show it later." No — hashing is one-way; you can't recover it. You wanted encryption.
  • "I'll store passwords encrypted." Risky — if the key leaks, every password is exposed. Passwords should be hashed (bcrypt/Argon2), not encrypted.

How to choose

  • Need to format data for transport? → Encoding.
  • Need to keep data secret but recover it later? → Encryption.
  • Need to verify data or store passwords? → Hashing.
  • Need to prove a message's integrity and sender? → HMAC (keyed hashing).

Try the tools

See each idea in action: encode with the Base64 converter, fingerprint with the hash generator, authenticate with the HMAC generator, and store passwords properly with the bcrypt tool.

Frequently asked questions

Is Base64 encoding the same as encryption?

No. Base64 is encoding — reversible by anyone, with no key. It provides zero confidentiality. Encryption requires a key to reverse and is what you use to keep data secret.

What's the difference between encryption and hashing?

Encryption is reversible with a key and is used to keep data confidential. Hashing is one-way and keyless, used to verify integrity or store passwords. You can decrypt; you cannot 'unhash'.

Should passwords be encrypted or hashed?

Hashed — with a slow, salted algorithm like bcrypt or Argon2. Encrypting passwords is risky because anyone who steals the key gets every password. Hashing has no key to steal.

Try the related tools

Related guides