Skip to content

What's the difference between encoding, encryption, and hashing?

Short answer

Encoding transforms data into another format for compatibility and is fully reversible by anyone with no key (e.g. Base64, URL encoding) — it provides no confidentiality. Encryption is reversible only with a key and is what provides confidentiality. Hashing is a one-way function: you cannot recover the input from the output, which is why it suits integrity checks and password storage (with a salt and slow KDF).

People throw these three words around interchangeably, and that loose usage is exactly what the question targets. Calling Base64 "encryption" is the single fastest way to fail a crypto screen.

The three definitions that matter

  • Encoding changes the representation of data so a system can handle it — Base64, URL encoding, hex. It uses a public, keyless scheme, so anyone can reverse it instantly. Encoding provides zero confidentiality; it is not security, it is formatting.
  • Encryption transforms data so that only a holder of the key can reverse it. It is reversible by design but only for the authorised party. This is the tool that provides confidentiality.
  • Hashing is a one-way function. It maps arbitrary input to a fixed-size digest, and there is no key and no reverse operation. You cannot "decrypt" a hash. It is used for integrity (did the data change?) and, with a salt and a slow KDF, for password storage.

The trap distractors

Each wrong choice swaps one property: claiming encoding needs a key, claiming hashing is reversible "with a salt," or claiming all three are reversible. A salt does not reverse a hash — attackers brute-force or use rainbow tables; they never "decrypt" it.

Quick test

If anyone can undo it without a secret, it is encoding. If a key is required, it is encryption. If it cannot be undone at all, it is hashing.

What interviewers look for

Crisp definitions tied to the right properties — reversibility, key, and purpose — plus the instinct to correct the common "Base64 encryption" mistake.

Likely follow-ups

  • Is Base64 a form of encryption? Why or why not?
  • Why can't you 'decrypt' a hash, and what do attackers do instead?
  • Where would you correctly use each of the three?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.