Hashing vs encryption: What’s the difference?

To be effective, cybersecurity must be easy to understand and follow. But hashing has always raised a ton of questions. Is it a type of encryption? What algorithms are safe to use? And why do we have to salt it? Today, we’re going to dive into the world of hashing vs encryption and explain everything you need to know.

What is encryption?

Encryption is the process of securing data. Regardless of the algorithms used, you use a key to convert a plaintext message into a cipher text. When needed, the action can be performed in reverse, i.e., you can convert the cipher text back into the original plaintext message. If you want to know more about encryption, check out the most common types of encryption.

Another very important part of encryption — specifically, public-key encryption — is that the parties sharing the encrypted data can be authenticated. Lastly, encrypting the same file multiple times may give you a different output, which is not the case when you hash something.

What is hashing?

Hashing is a cryptography process that, just like encryption, scrambles up data. But hash algorithms digest the original data into a fixed-length hash, or a hash value. Regardless of the size of the original message, the same hashing algorithm will output the same number of characters. In other words, whether you’re hashing a password or a set of Encyclopedia Britannica, hashing could turn both into a 20-character hash.

A good hashing algorithm must have certain qualities, like:

• Speed. Sometimes, you need to hash large files, like HD video recordings.
• Irreversible. Unlike encryption, you never want to be able to turn a hash back into its original form. We’ll touch on this later when we talk about password hashing.
• Secure. Securing hashes means that their value must change substantially if the message is changed. The best hashing algorithms will change completely even if a single character is altered.
• Unique. Hashes of two different files should not come out the same. When this occurs (and it sometimes does), it’s called a hashing collision.

Also, a good practice is to couple hashes with salt. Salting is a process of adding randomized characters to the original password. Salt is added to your password before a hash is derived. Salting makes your password, or rather its hash, unique and thus much harder to crack.

Why is a hashing collision bad?

One of the key features of a hashing algorithm is its uniqueness. You don’t want two files to have the same hash because it defeats the purpose of the entire process.

While we will cover hashing uses in more depth later, in short, it’s mainly used to confirm the authenticity of passwords without revealing the passwords themselves.

Let’s say your password “un!cornsf0rever” has been hashed to a value of “qwe123.” If someone can create a password that is also hashed to a value of “qwe123,” they can get into your account. Remember, apps and services don’t actually use passwords – they only compare hashes.

Unfortunately, hashing collisions can happen by chance or can be created deliberately. To avoid this problem, different hashing collision resolutions like open and closed hashing or double hashing can be performed.

The difference between hashing vs encryption

By now, there shouldn’t be much confusion left when it comes to hashed vs encrypted data. But, just in case, let’s bring it all together before we move on to hashing algorithms.

• Hashing is not a type of encryption — it’s a form of cryptographic security.
• Encryption works both ways, while hashing is a one-way function.
• Hashing boils down the original to a fixed set of characters. This is not the case with encrypted messages.
• Encryption secures data, while hashing protects its integrity.

Hashing is commonly used for protecting passwords. If you had to store users’ data, you would generate password hashes and store those in a database instead of the real passwords. During authentication, the user's password hash is compared to the hash in the database. If they match, the user gets access to their account.

Why is hashing necessary?

We’ve just talked about using hashing for passwords. But since it’s not a flawless process (more on that later), maybe we should scratch hashing entirely and use encryption? We know that strong encryption can keep data safe for hundreds of years. However, while hashing does not offer superior data security, it’s important in a variety of other ways.

How hashing is used

• Hashing is used for digital signatures. Similarly to passwords, two hashes are compared in order to verify someone’s identity.
• Protecting file integrity. You can compare the hashes of an important document to determine whether it was altered without your knowledge.
• Hashing can help compare large data sets. Checking two 10,000-user databases may take a long time, unlike comparing their hashes.
• Detecting plagiarism. Some hashing algorithms can search for patterns that could indicate plagiarism.
• Programming languages use hash tables to differentiate between programming functions like “if” and actual words.

These are just a few applications of hashing algorithms. Now, let’s take a look at the algorithms themselves.

Common hashing algorithms

Hashing algorithms define the rules for how the hash is created. If the algorithm is unsafe, hackers could reverse engineer it to reveal the original message. Here are some of today’s best-known hashing algorithms.

MD5

By far, MD5 is one of the most used hashing algorithms in the world. But there’s a caveat — MD5 is broken. It has been broken for a long time. Most notably, MD5 is prone to hash collisions, a malicious or accidental way to create two documents with the same hash.

The SHA family

Secure Hash Algorithm, or SHA, took the baton from MD5 to become the most popular hashing algorithm worldwide. Developed by the NSA, the algorithm is now in its third iteration, SHA-2. Unlike its previous versions, SHA-0 and SHA-1, which worked similarly to MD5, SHA-2 is much more fit to handle the cybersecurity of the modern day because of its six possible variations: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. 

There’s already a SHA-3 algorithm ready to take over when called upon. It’s faster and was designed to withstand the attacks that SHA-2 could be vulnerable to.

Argon2

Argon2 is a key derivation function highly recommended for passwords. It has three versions: Argon2d, Argon2i, and Argon2id. This is what we use at NordLocker. If you already have an account, you’ll have a master password. We use Argon2id to generate a key from your master password with salt that is used to encrypt and decrypt your secret key.

Tiger

Tiger is a hash function from the mid-1990s. It’s known for its speed and, despite its age, is still considered secure. Tiger can produce 128-, 160-, and 198-bit hashes. Now, there is a new generation of the algorithm, Tiger2.

Protecting password hashes with salt

What happens when password hashes are not salted? Since identical hashes mean identical inputs, your password could be in danger if someone else has already used that password before. In fact, online tools can compare your password hash with over 800 billion cracked hashes to derive the original password.

There’s another way to exploit password hashes. A hacker can calculate values for every combination (a, ab, abc, etc.) and then compare your password hash with the database that they just created. It may be tedious and time-consuming, but it’s also totally doable. That’s why leaving hashes unsalted is really unsafe.

Conclusion

While hashing is a necessary part of cybersecurity, it’s also useful in many other fields. However, hashing does have some big problems when it comes to storing passwords. For example, some companies still use outdated hash algorithms like the MD5, and too many store their user passwords unsalted.

That’s why you should always have multi-factor authentication enabled. If someone figures out your password or a database with unsalted hashes is leaked online, your account will still be secure. In addition, when you want to share files securely, use end-to-end encryption apps like NordLocker.