Hashing vs Encryption: What a Hash Can and Cannot Do

Hashing and encryption both turn readable data into something that looks scrambled, which is why they are so often confused. But they solve opposite problems. Encryption is a locked box you can open again with the right key. Hashing is a paper shredder: it produces a fixed-size fingerprint and there is no way to reassemble the original from it. Generate a hash of any text or file with the Hash Generator and see the fingerprint for yourself, computed in your browser.

The core difference: direction

Encryption is two-way and reversible. You encrypt plaintext with a key to get ciphertext, and anyone with the right key can decrypt it back to the exact original. The whole point is to recover the data later, so confidentiality, keeping it secret from those without the key, is the goal.

Hashing is one-way and not reversible. A hash function takes input of any size and produces a fixed-length digest, and there is no key and no inverse. A 600-page book and a single letter both hash to the same fixed length. For any input larger than the digest, information must be thrown away to fit; and the function is deliberately built so that even a short input cannot be worked backwards, a property called preimage resistance. You cannot get the book back from its hash any more than you can rebuild a document from its page count. The goal is not secrecy but a fingerprint: a short value that stands in for the data and changes completely if the data changes.

You cannot decrypt a hash

This is also why hashing alone is the wrong choice for protecting passwords: attackers do not need to reverse the hash, they just hash every word in a dictionary. The defense is to make each guess slow and unique, which is a separate topic covered in the guide on how passwords are stored.

What makes a hash function good

A cryptographic hash function is judged on a few properties:

• Deterministic: the same input always produces the same digest, so two parties can compare fingerprints.
• Preimage resistance: given a hash, it is infeasible to find any input that produces it. This is the one-way property.
• Collision resistance: it is infeasible to find two different inputs that hash to the same value. When this breaks, the hash is no longer safe for signatures.
• The avalanche effect: changing a single bit of the input flips about half the bits of the output, so similar inputs look unrelated.

MD5 and SHA-1 are broken; use SHA-256

Two old hashes still turn up everywhere and should not be trusted for anything security-related. MD5 and SHA-1 have both had practical collisions demonstrated, meaning attackers can construct two different files with the same hash. That defeats their use in digital signatures and certificates. They may still appear as quick checksums for accidental corruption, but for anything where an adversary is involved, they are unsafe.

Where hashing actually shines

Hashing is everywhere once you know to look. It verifies that a download arrived intact when you compare a published checksum against the file you received. It lets Git name a commit by the hash of its contents. It powers fast lookups in hash tables and deduplication by giving identical data the same short id. In each case the value of a hash is the same: a compact, reliable fingerprint that proves two pieces of data are the same without revealing or storing the data itself.

Fingerprint your data privately

The Hash Generator computes MD5, SHA-1, SHA-256 and more locally in your browser, so the text or file you fingerprint is never uploaded. If you want the authoritative descriptions of the modern algorithms, the SHA-2 and SHA-3 families are specified by NIST in FIPS 180-4 and FIPS 202.