Key insight

Three things all scramble text, so people confuse them — with real consequences. Encoding changes the format of data and offers no protection at all; anyone can undo it. Encryption hides data so only a key-holder can read it; it is reversible, but only with the key. Hashing turns data into a fingerprint that can never be reversed; it is for proving, not hiding. Passwords should always be hashed and salted — and the classic blunder is treating plain encoding as if it were protection.

Three words describe three things that all turn readable text into a jumble of characters, which is exactly why people mix them up — often with dangerous results. But they exist for three completely different reasons, and using the wrong one is a genuine security mistake. Encoding changes the format of data so a system can carry it; it is not security at all. Encryption hides data so only a key-holder can read it. Hashing turns data into a fixed fingerprint that can never be turned back. Same messy-looking output, three different jobs. Learn to tell them apart and you avoid one of the most common and embarrassing blunders in the field.

1 · Three tools people constantly confuse

Here is the whole topic in one breath. Encoding is for format — and anyone can reverse it. Encryption is for secrecy — reversible only with the right key. Hashing is for proof — and cannot be reversed at all. The scrambled output looks similar in all three cases, which is exactly the trap. What matters is not how jumbled it looks, but which of the three jobs it is actually doing.

Three tools compared: encoding for format, encryption for secrecy, and hashing for proof Three labelled boxes: a blue box labelled Encoding, for format; a violet box labelled Encryption, for secrecy; and an amber box labelled Hashing, for proof. A caption states all three scramble text for three completely different reasons. Encodingfor format Encryptionfor secrecy Hashingfor proof All three scramble text — for three completely different reasons
Figure 1. The output looks similar; the purpose is not. Naming which job you need is what stops the classic mistakes.

2 · Encoding: changing the format, not hiding

Encoding is the odd one out, because despite looking scrambled, it has nothing to do with security. Encoding rewrites data into a different format so some system can handle it reliably. Morse code is encoding: it turns letters into dots and dashes for a telegraph wire. On computers, a common example is Base64, which rewrites data into a plain set of safe characters so it can ride inside an email or a web address without breaking.

The crucial point: anyone can reverse encoding, instantly, with no key and no permission, because that is the whole purpose. So here is the classic blunder — someone sees a long string of Base64 gibberish, assumes it must be protected, and treats it as safe. It is not. Encoded data is public data wearing a costume. It hides nothing.

The blunder to avoid

Treating encoding (like Base64) as protection is how sensitive data quietly leaks. If there is no key, it is not hiding anything — it is just a reformat that anyone can undo.

3 · Encryption: secrecy that needs a key

Encryption is the one people usually mean when they say something is protected, and here they are right. Encryption scrambles data using a secret key, in such a way that the scrambling can only be undone by someone holding the matching key. Without the key, the output is genuine nonsense, useless to anyone who steals it. With the key, it turns back into the exact original.

This is the tool for confidentiality — keeping secret things secret while still letting the right person read them later. The entire strength of encryption rests on that key staying secret: if the key leaks, the protection is gone, because encryption is designed to be reversible. It only ever bet everything on the key being hard to get. Guard the key, and encryption is powerful; lose it, and it was never really protecting anything.

4 · Hashing: a one-way fingerprint

Hashing surprises people, because it is deliberately impossible to reverse — and that is a feature. A hash function takes any input and produces a fixed-length fingerprint with two special properties. First, the same input always produces the exact same fingerprint, every time. Second, there is no key and no way to run it backwards; from the fingerprint alone, you cannot recover the original input, even in principle. A third handy property: change the input by even one character, and the fingerprint changes completely, which makes hashing excellent for spotting tampering.

So hashing is not for hiding data you will later need to read back. It is for proving things: proving two inputs are identical, or proving a file has not been altered, by comparing fingerprints rather than the data itself. This is the digital seal behind the integrity promise from the CIA triad.

Encryption is reversible with a key; hashing is a one-way fingerprint that cannot be reversed On top, a document is encrypted with a key into unreadable text, then decrypted back with the key into the original. On the bottom, a document is hashed into a fingerprint, and a red blocked arrow shows the fingerprint cannot be turned back into the original. Encryption — reversible with a key hello X8$k2#pQ hello Hashing — one way only hello 2cf24dba5f… cannot reverse
Figure 2. Encryption is a locked box you can reopen with the key. A hash is a fingerprint — you can always make it, but never turn it back into the thing it came from.

5 · Why hashing is perfect for passwords

Passwords are where hashing shines. A careful website never stores your actual password anywhere. When you first set it, the site hashes it and stores only the fingerprint. Later, when you log in, the site hashes whatever you just typed and compares the two fingerprints — if they match, you knew the password, all without the real password ever being kept on file.

Now think about a breach. If attackers steal that database, they get a pile of fingerprints, not passwords, and because hashing cannot be reversed, they cannot simply read everyone's password back out. This is exactly why storing passwords with encryption instead of hashing is a mistake: encryption can be reversed, so the day the key leaks, every password leaks with it. Hashing has no such key to lose.

A typed password is hashed, and only the hash is stored, so a stolen database yields no passwords A teal box labelled You type a password leads to an amber box labelled Store only the hash, which leads to a green database box labelled Password never saved. A caption states a stolen list of hashes cannot be turned back into passwords. Type a password Store only the hash Password never saved A stolen list of hashes cannot be turned back into passwords
Figure 3. The site checks that you know the password by comparing fingerprints — the password itself is never stored, so a breach leaks fingerprints, not secrets.

6 · Salting: no two fingerprints alike

One more ingredient turns password hashing from good into genuinely strong: salting. Here is the problem it solves. If two people happen to choose the same password, plain hashing gives them the exact same fingerprint, and attackers exploit this by pre-computing giant tables of common passwords and their fingerprints, then just looking up any stolen hash.

A salt defeats this completely. A salt is a small piece of random data, different for every user, mixed into the password before it is hashed. Now two people with the identical password get two completely different fingerprints, because their salts differ. Those enormous pre-built lookup tables become useless, since the attacker would need a fresh table for every individual salt. The rule that falls out: passwords should always be both hashed and salted, never merely one or the other.

7 · Pick the right tool for the job

The whole topic collapses into one clear decision, and getting it right protects ordinary systems and AI ones alike. Are you just moving or storing data in a format some system needs? That is encoding — remember it offers no protection. Do you need something secret but readable later by the right person? That is encryption — everything rides on guarding the key. Do you need to prove something is unchanged, or check a password without storing it? That is hashing — and for passwords, always with a salt.

The single most common blunder, in traditional software and in AI systems handling sensitive data alike, is treating encoding as though it were protection — sending secrets wrapped only in Base64 and believing they are safe. They are not. Match the tool to the actual job, every time.

8 · A simple test you can run this week

Check how one system handles secrets

1. Find where one system stores its passwords.
2. Are they hashed one-way, or reversible (encrypted or plain)?
3. If they are not hashed and salted, that is the gap.
4. Listen for anyone calling Base64 encoding “encryption” — that confusion is where data leaks.

Three one-line truths to carry: encoding hides nothing; hashing can never be undone; encryption keeps a secret only as long as its key stays secret.

9 · Glossary — every term, spelled out

Encoding
Rewriting data into a different format (like Base64) so a system can carry it. Reversible by anyone, with no key — it is not security.
Encryption
Scrambling data with a secret key so only a key-holder can read it. Reversible, but only with the key.
Hashing
Turning data into a fixed one-way fingerprint that cannot be reversed — used to prove things, not to hide them.
Base64
A common encoding that rewrites data into safe characters for transport; frequently mistaken for protection.
Salt
A small piece of random data, unique per user, mixed into a password before hashing so identical passwords produce different fingerprints.
Key
The secret that encryption depends on; whoever holds it can reverse the encryption, so guarding it is everything.
Integrity
The security promise that data has not been altered — verified in practice by comparing hashes.
Key takeaways

Encoding changes format and protects nothing; anyone can undo it.
Encryption hides data with a key and is reversible — its whole strength is the key staying secret.
Hashing is a one-way fingerprint that can never be reversed, which is exactly why it suits passwords.
Passwords should always be hashed and salted — and the classic blunder is calling plain encoding “encryption.”

References

  1. NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management — password (memorized secret) storage with salted hashing, National Institute of Standards and Technology. csrc.nist.gov
  2. NIST FIPS 180-4, Secure Hash Standard (SHS) — approved hash functions, National Institute of Standards and Technology. csrc.nist.gov
  3. OWASP, Password Storage Cheat Sheet — hashing and salting guidance. owasp.org
  4. This guide’s Encryption At Rest vs In Transit, Explained From Zero — where encryption fits in protecting data.