Encryption vs. Hashing
In security, we often talk about "encrypting passwords." Technically, this is wrong. You should never encrypt a password; you should hash it.
Encryption (Two-Way)
Encryption is designed to be reversible. It is like a safe with a key.
- Goal: Hide data so it can be safely sent, then read later by authorized people.
- Example: Sending a credit card number to a bank. The bank needs to be able to unlock (decrypt) it to charge you.
- Mechanism:
Message+Key=Scrambled Data. Later,Scrambled Data+Key=Message.
Hashing (One-Way)
Hashing is designed to be irreversible. It is like putting a document into a blender.
- Goal: Create a unique "fingerprint" of data.
- Example: Passwords.
- Mechanism:
Message->Algorithm->Fixed Length String.
Why Hash Passwords?
When you create an account, the website should not save your password "Secret123". If they get hacked, the hacker sees "Secret123".
Instead, the site runs your password through a hash function (like SHA-256) which turns it into:a5d3...9f2b
They save that gibberish.
When you log in next week, you type "Secret123". The site hashes it again. If the result matches the stored gibberish, they know you typed the right password. But the site itself never knows what your real password is.
Visual Summary
| Feature | Encryption | Hashing |
|---|---|---|
| Reversible? | Yes (with key) | No (mathematically impossible) |
| Output Size | Varies with input length | Fixed length (always the same size) |
| Use Case | Private Messages, Files | Passwords, File Integrity Checks |