Hashing vs encryption: What’s the difference?
Sep 22, 2021
To be effective, cybersecurity must be easy to understand and follow. But hashing has always raised a ton of questions. Is it a type of encryption? What algorithms are safe to use? And why do we have to salt it? Today, we’re going to dive into the world of hashing vs encryption and explain everything you need to know.
What is encryption?
Encryption is the process of securing data. Regardless of the algorithms used, you use a key to convert a plaintext message into a cipher text. When needed, the action can be performed in reverse, i.e. you can convert the cipher text back into the original plaintext message.
Another very important part of encryption — specifically, public-key encryption — is that the parties sharing the encrypted data can be authenticated. Lastly, encrypting the same file multiple times may give you a different output, which is not the case when you hash something.
What is hashing?
Hashing is a cryptography process that, just like encryption, scrambles up data. But hash algorithms digest the original data into a fixed-length hash, or a hash value. Regardless of the size of the original message, the same hashing algorithm will output the same number of characters. In other words, whether you’re hashing a password or a set of Encyclopedia Britannica, hashing could turn both into a 20-character hash.
A good hashing algorithm must have certain qualities, like:
- Speed. Sometimes, you need to hash large files, like HD video recordings.
- Irreversible. Unlike encryption, you never want to be able to turn a hash back into its original form. But we’ll touch on this later when we talk about password hashing.
- Secure. Securing hashes means that their value must change substantially if the message is changed. The best hashing algorithms will change completely even if a single character is altered.
- Unique. Hashes of two different files should not come out the same. When this occurs (and it sometimes does), it’s called hashing collisions.
Also, a good practice is to couple hashes with salt. Salting is a process of adding randomized characters to the original password. Salt is added to your password before a hash is derived. This makes your password, or rather its hash, unique, and thus, much harder to crack.
The difference between hashing vs encryption
By now, there shouldn’t be much confusion left when it comes to hashed vs encrypted data. But, just in case, let’s bring it all together before we move on to hashing algorithms.
- Hashing is not a type of encryption — it’s a form of cryptographic security.
- Encryption works both ways, while hashing is a one-way function.
- Hashing boils down the original to a fixed set of characters. This is not the case with encrypted messages.
- Encryption secures data, while hashing protects its integrity.
Hashing is commonly used for protecting passwords. If you were to do this, you would generate password hashes and store those in a database instead of the real passwords. During authentication, the user's password hash is compared to the hash in the database. If they match, the user gets access to their account.
Why is hashing necessary?
We’ve just talked about using hashing for passwords. But, since it’s not a flawless process (more on that later), maybe we should scratch hashing entirely and use encryption? We know that strong encryption can keep data safe for hundreds of years. However, while hashing does not offer superior data security, it’s important in a variety of other ways.
How hashing is used
- Hashing is used for digital signatures. Similarly to passwords, two hashes are compared in order to verify someone’s identity.
- Protecting file integrity. You can compare the hashes of an important document to determine whether it was altered without your knowledge.
- Hashing can help compare large data sets. Checking two 10,000-user databases may take a long time, unlike comparing their hashes.
- Detecting plagiarism. Some hashing algorithms can search for patterns that could indicate plagiarism.
- Programming languages use hash tables to differentiate between programming functions like “if” and actual words.
These are just a few applications of hashing algorithms. Now, let’s take a look at the algorithms themselves.
Common hashing algorithms
Hashing algorithms define the rules for how the hash is created. If the algorithm is unsafe, hackers could reverse-engineer it to reveal the original message. Here are some of today’s most well-known hashing algorithms.
By far, this is one of the most used hashing algorithms in the world. But there’s a caveat — MD5 is broken. It has been broken for a long time. Most notably, MD5 is prone to hash collisions, a malicious or accidental way to create two documents with the same hash.
The SHA family
Secure Hash Algorithm, or SHA, took up the baton from MD5 to become the most popular hashing algorithm worldwide. Developed by the NSA, the algorithm is now in its third iteration, SHA-2. Unlike its previous versions, SHA-0 and SHA-1, which worked similarly to MD5, SHA-2 is much more fit to handle cybersecurity of the modern day because of its six possible variations: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
There’s already a SHA-3 algorithm ready to take over when called upon. It’s faster and was designed to withstand the attacks that SHA-2 could be vulnerable to.
Argon2 is a key derivation function highly recommended for passwords. It has three versions: Argon2d, Argon2i, and Argon2id. This is what we use at NordLocker. If you already have an account, you’ll have a master password. We use Argon2id to generate a key from your master password with salt that is used to encrypt and decrypt your secret key.
Tiger is a hash function from the mid-1990s. It’s known for its speed and, despite its age, is still considered secure. Tiger can produce 128-, 160-, and 198-bit hashes. Now, there is a new generation of the algorithm, Tiger2.
Protecting password hashes with salt
What happens when password hashes are not salted? Since identical hashes mean identical inputs, your password could be in danger if someone else has already used that password before. In fact, there are tools online that can compare your password hash with over 800 billion cracked hashes to derive the original password.
There’s also another way to exploit password hashes. A hacker can calculate values of every combination (a, ab, abc, etc.) and then compare your password hash with the database that they just created. It may be tedious and time-consuming, but it’s also totally doable. That’s why leaving hashes unsalted is really unsafe.
While hashing is a necessary part of cybersecurity, it’s also useful in many other fields. However, hashing does have some big problems when it comes to storing passwords. For example, some companies still use outdated hash algorithms like the MD5, and too many store their user passwords unsalted.
That’s why you should have multi-factor authentication always enabled. If someone figures out your password or a database with unsalted hashes is leaked online, your account would still be secure. Also, when you want to share files securely, use end-to-end encryption apps like NordLocker.
Elisa’s all about languages. She speaks five, loves stand-up comedy, and is writing her first novel. Besides her extensive knowledge of cybersecurity, she’s an expert in persuasion techniques hackers use and strives to teach people how to avoid online scams.