Encoding vs encryption vs hashing: what's the difference?
Encoding, encryption, and hashing are easy to confuse but do very different jobs. Here's what each one is for, with clear examples and when to use which.
Software engineer and technical writer
Encoding, encryption, and hashing get used as if they mean the same thing, and that confusion causes real security mistakes, like assuming Base64 "hides" a password. The three do completely different jobs. Here is the short version, then the detail.
- Encoding changes how data is represented so it can travel safely. It is
reversible by anyone and provides no secrecy.
- Encryption scrambles data so only someone with the key can read it. It is
reversible only with that key and provides confidentiality.
- Hashing turns data into a fixed-size fingerprint. It is one-way and is
used to verify data, not to hide it.
Encoding: making data safe to transport
Encoding converts data into a format that a given system can handle. The classic example is Base64, which represents arbitrary bytes using 64 plain ASCII characters so they survive systems that expect text, such as URLs, JSON values, email, and HTTP headers.
The key point: encoding uses no key, and anyone can reverse it. So encoding gives you compatibility, not security.
If you ever see a Base64 string and think the data is protected, decode it and you will see the original immediately. That is by design. Other examples of encoding include URL-encoding (turning a space into %20) and HTML entities (turning < into <).
Encryption: keeping data secret
Encryption transforms readable data (plaintext) into unreadable data (ciphertext) using an algorithm and a key. Without the key, the ciphertext is meaningless. With the key, you can reverse it back to the original.
This is what protects your data in real terms:
- Symmetric encryption (such as AES) uses the same key to encrypt and
decrypt.
- Asymmetric encryption (such as RSA) uses a public key to encrypt and a
private key to decrypt.
The defining feature is the key. Encryption is reversible, but only by someone who holds the right secret. That is the difference between encryption and plain encoding.
Hashing: verifying without storing
Hashing runs data through a one-way function that produces a fixed-size output called a digest or hash. The same input always gives the same digest, but you cannot work backward from the digest to the input.
Because of that, hashing is used to check things rather than hide them:
- Verify a downloaded file matches the original by comparing hashes.
- Check a password without storing the password itself: store the hash, then
hash what the user types and compare.
- Detect whether two pieces of data are identical.
One caution for passwords specifically: a plain fast hash like SHA-256 is not enough on its own. Password storage needs a slow, salted algorithm built for the job (such as bcrypt, scrypt, or Argon2). For comparing which general-purpose hash to use, see MD5 vs SHA-256.
A side-by-side comparison
| Property | Encoding | Encryption | Hashing |
|---|---|---|---|
| Purpose | Safe transport/representation | Confidentiality | Integrity / verification |
| Uses a key | No | Yes | No |
| Reversible | Yes, by anyone | Yes, with the key | No |
| Output size | Varies with input | Varies with input | Fixed |
| Example | Base64, URL-encoding | AES, RSA | SHA-256, MD5 |
How to pick the right one
Ask what you actually need:
- Need data to survive a text-only channel? That is encoding.
- Need data to stay secret from anyone without a key? That is encryption.
- Need to verify data or check a value without keeping the original? That is
hashing.
Get this distinction right and a whole class of security bugs disappears. The most common one is treating Base64 as if it protects anything. It does not.
Key takeaways
- Encoding (such as Base64) is reversible by anyone and provides no security. It
only changes data representation for safe transport.
- Encryption is reversible only with a key and is what actually keeps data
secret.
- Hashing is one-way and is used to verify data or check a value, not to hide
it.
- Base64 is not encryption. Decoding it takes a single step and reveals the
original.
- For password storage, use a slow salted algorithm like bcrypt, scrypt, or
Argon2, not a plain fast hash.
This article was prepared with AI-assisted drafting and reviewed by a human editor for accuracy, clarity, and relevance.
Frequently asked questions
Is Base64 a form of encryption?+
No. Base64 is encoding, not encryption. It has no key and anyone can decode it instantly, so it provides no confidentiality. It only changes how data is represented so it can travel safely through text-based systems.
Can you reverse a hash to get the original data?+
No. Hashing is a one-way function. You cannot recover the input from the output. You can only hash a candidate input again and compare the two digests, which is how password and file checks work.
When should I use encryption instead of encoding?+
Use encryption whenever you need to keep data secret from anyone without the key, such as passwords in transit or sensitive files at rest. Use encoding only to make data safe to transport or store in a particular format.
Is hashing the same as encryption?+
No. Encryption is reversible with the right key and is meant to protect confidentiality. Hashing is one-way and is meant to verify integrity or check a value without storing the original.