Skip to content

Can you explain the difference between hashing, encryption, and encoding?

Short answer

Encoding (like Base64) is a reversible format change with no secret — not security. Encryption is reversible with a key and protects confidentiality. Hashing is a one-way function producing a fixed-length digest, used for integrity checks and password storage, and cannot be reversed back to the input.

People mix these three up constantly, and conflating them leads to real security mistakes — like "encrypting" a password in Base64. Each does something fundamentally different.

Encoding

Encoding transforms data into another format for compatibility or transport, not secrecy. Base64, URL-encoding, and ASCII are examples. There is no key — anyone can decode it trivially. If you see Base64 protecting a "secret," that's a finding, not a control.

Encryption

Encryption transforms data so it can only be read by someone with the right key, and it is reversible by design. Its purpose is confidentiality. Without the key, the ciphertext is meaningless; with it, you recover the original plaintext exactly. This is what protects data in transit (TLS) and at rest (disk encryption).

Hashing

Hashing runs data through a one-way function (SHA-256, bcrypt, Argon2) to produce a fixed-length digest. You cannot reverse a hash back to its input. Its purposes are integrity (the same input always yields the same hash, so any change is detectable) and password storage (store the hash, compare hashes at login, never store the plaintext).

For passwords specifically, you use a slow hash plus a unique salt per user so identical passwords produce different hashes and precomputed "rainbow table" attacks fail.

The quick test

Ask: can I get the original back, and do I need a secret to do it? Encoding — yes, no secret. Encryption — yes, with a key. Hashing — no, never.

Why this matters

Interviewers use this to catch a classic confusion. A candidate who can state purpose plus reversibility for each, and who knows passwords should be salted and hashed (not encrypted, never encoded), demonstrates exactly the kind of precision that prevents data-breach headlines.

Likely follow-ups

  • Why should passwords be hashed and salted rather than encrypted?
  • What is a salt and what attack does it defend against?
  • Is Base64 ever appropriate for protecting secrets?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.