Can you explain the difference between hashing, encryption, and encoding?
Short answer
Encoding (like Base64) is a reversible format change with no secret — not security. Encryption is reversible with a key and protects confidentiality. Hashing is a one-way function producing a fixed-length digest, used for integrity checks and password storage, and cannot be reversed back to the input.
People mix these three up constantly, and conflating them leads to real security mistakes — like "encrypting" a password in Base64. Each does something fundamentally different.
Encoding
Encoding transforms data into another format for compatibility or transport, not secrecy. Base64, URL-encoding, and ASCII are examples. There is no key — anyone can decode it trivially. If you see Base64 protecting a "secret," that's a finding, not a control.
Encryption
Encryption transforms data so it can only be read by someone with the right key, and it is reversible by design. Its purpose is confidentiality. Without the key, the ciphertext is meaningless; with it, you recover the original plaintext exactly. This is what protects data in transit (TLS) and at rest (disk encryption).
Hashing
Hashing runs data through a one-way function (SHA-256, bcrypt, Argon2) to produce a fixed-length digest. You cannot reverse a hash back to its input. Its purposes are integrity (the same input always yields the same hash, so any change is detectable) and password storage (store the hash, compare hashes at login, never store the plaintext).
For passwords specifically, you use a slow hash plus a unique salt per user so identical passwords produce different hashes and precomputed "rainbow table" attacks fail.
The quick test
Ask: can I get the original back, and do I need a secret to do it? Encoding — yes, no secret. Encryption — yes, with a key. Hashing — no, never.
Why this matters
Interviewers use this to catch a classic confusion. A candidate who can state purpose plus reversibility for each, and who knows passwords should be salted and hashed (not encrypted, never encoded), demonstrates exactly the kind of precision that prevents data-breach headlines.
Likely follow-ups
- Why should passwords be hashed and salted rather than encrypted?
- What is a salt and what attack does it defend against?
- Is Base64 ever appropriate for protecting secrets?