Hash vs Encryption — What's the Difference and When to Use Each

💡Hashing is one-way: it converts data into a fixed-length digest that cannot be reversed. Encryption is two-way: it converts data into ciphertext that can be decrypted with a key. Use hashing for passwords and data integrity checks. Use encryption for data you need to retrieve later — like tokens, PII, or messages. Use the Hash Generator to create hashes instantly.

Key Differences — Side by Side

Hash for password storage

❌ Wrong

// Storing plain text password
db.save({ password: userPassword });

✅ Fixed

// Hashing with bcrypt (irreversible)
const hash = await bcrypt.hash(userPassword, 12);
db.save({ password: hash });

Plain text passwords are catastrophic if the DB leaks. Hashes protect users even in a breach.

Encryption for sensitive data retrieval

❌ Wrong

// Can't get back the original
const stored = sha256(socialSecurityNumber);

✅ Fixed

// Encrypt with AES-256 (reversible with key)
const encrypted = aes256.encrypt(key, socialSecurityNumber);
// Can decrypt later: aes256.decrypt(key, encrypted)

If you need to retrieve the original data, hash won't work. Use encryption.

Hash for data integrity

❌ Wrong

// Trusting data without verification
const data = await downloadFile(url);

✅ Fixed

const data = await downloadFile(url);
const hash = sha256(data);
if (hash !== expectedHash) throw new Error('File corrupted');

SHA-256 checksums detect corruption or tampering. Common for package downloads.

JWT signature verification

❌ Wrong

// Decoding JWT without verifying
const payload = JSON.parse(atob(token.split('.')[1]));

✅ Fixed

// Verify signature (uses HMAC hash)
const payload = jwt.verify(token, secret);

JWT signatures use HMAC (hash-based). Skipping verification makes tampering possible.

Try It Now

Hash GeneratorGenerate MD5, SHA-256, SHA-512 hashes →Open Hash Generator →bcrypt GeneratorHash passwords securely with bcrypt →Open bcrypt Generator →

Real-World Context

Storing user passwords

// CORRECT: hash passwords (one-way)
const stored = await bcrypt.hash(password, 12);

// WRONG: encrypt passwords (reversible)
const stored = encrypt(password, secretKey);

Hashed passwords can never be decrypted — even if your database is stolen. Encrypted passwords can be.

File integrity check

// Hash the file contents
const hash = crypto.createHash('sha256')
  .update(fileContents)
  .digest('hex');
// Compare with expected hash to detect tampering

SHA-256 hash changes completely if even one byte of the file changes.

Storing API keys for retrieval

// WRONG: hash API key (can't retrieve for user)
const stored = sha256(apiKey);

// CORRECT: encrypt API key (can decrypt to show user)
const stored = encrypt(apiKey, masterKey);

If you need to show the API key to the user later, you must encrypt it — hashing is irreversible.

Related Guides

Frequently Asked Questions

Can you decrypt a hash?

No. Hashing is one-way by design. You can only compare — hash the input and check if it matches the stored hash. There is no reverse operation.

Is MD5 still safe to use?

Not for security-sensitive uses. MD5 is broken for cryptographic purposes — collision attacks are practical. Use SHA-256 or SHA-3 for integrity checks, bcrypt for passwords.

What is a salt and why is it used with hashes?

A salt is random data added to the input before hashing. It prevents identical passwords from producing the same hash and defeats rainbow table attacks.

All tools run in your browser. Your data never leaves your device.