
What is the difference between "Hashing" and "Encryption"? Structure of security basics and irreversibility
"Hashing" is the basis of Web development and security. Difference from encryption, why it cannot be reversed, why it is essential for password storage. We explain thoroughly from the mechanism to types of hash functions (SHA-256 etc.).
Danger if password is saved "as is"!
Passwords you registered for Web services.
What happens if they are saved "as is" (in plain text) in the database like password123?
In the unlikely event that the contents of the database are leaked by a cyber attack, your password will be completely visible to the attacker. This means that other services (banks, SNS, etc.) where you use the same password will also be hijacked.
The technology to prevent this is "Hashing".
Hash GeneratorGenerate cryptographically secure MD5, SHA-1, and SHA-256 hashes.Similar but completely different! 3 Terms
Three terms often confused in IT terminology are "Encryption", "Hashing", and "Encoding". To understand security, we first need to clarify this difference.
| Term | Irreversibility | Key | Usage | Specific Example |
|---|---|---|---|---|
| Encryption | × (Reversible) | Required | Communication, Personal Information Protection | AES, RSA |
| Hashing | ○ (Irreversible) | Not Required | Password Storage, Falsification Detection | SHA-256, MD5 |
| Encoding | × (Reversible) | Not Required | Data Format Conversion | Base64, URL Encoding |
1. Encryption
Makes data unreadable using a "Key". If you have the correct key, you can return it to the original data (Decrypt). Credit card numbers etc. are encrypted because they need to be viewed when necessary.
2. Hashing
One-way conversion. Once converted to a hash value, it can absolutely never be returned to the original data. This is why it is suitable for password storage. This is because if you hash "the password entered by the user" and check only whether it matches the registered "hash value", there is no need to know the original password.
3. Encoding
This is not a security technology but simply "format conversion". Base64 allows anyone who knows the rule to restore it, so it should not be used for the purpose of hiding passwords.
Mechanism and Features of Hash Function
A hash function is a calculation formula that converts data of arbitrary length (input) into a character string of fixed length (hash value).
Feature 1: Irreversibility
As mentioned earlier, it is impossible to calculate the original data from the hash value. It is the same image as "You cannot restore the original steak meat from minced meat".
Feature 2: Result changes drastically if input changes even slightly
This is called "Avalanche Effect". For example, let's hash with SHA-256.
-
Input:
apple -
Output:
3a7bd... -
Input:
appl**f**(Only 1 character different) -
Output:
9d2b1...
At a glance, it becomes a completely different character string that does not resemble even a bit. Because of this property, it is extremely difficult to guess the original character string from the hash value.
Feature 3: Fixed Length
Even if the input is one character or one dictionary, the length of the output hash value is always the same (64 characters for SHA-256).
Usage Examples Other Than Passwords
Hashing is widely used besides password protection.
File Falsification Detection (Checksum)
When downloading software, "MD5" or "SHA-256" values may be written on the official website. If you calculate the hash value of the file at hand and it matches the value of the official website, it proves that "the file is not broken during download" or "no one has mixed in a virus".
Blockchain
The core of cryptocurrency technology such as Bitcoin is also a hash function. By including the hash value of the previous block in the next block, data is connected like a chain, creating a mechanism where if past data is tampered with, all subsequent hash values change.
Is that password storage really safe?
Threat of Rainbow Table Attack
Hashing is irreversible, but if an attacker has a correspondence table (Rainbow Table) of "common passwords (such as password123)" and "their hash values", the original password will be revealed by matching.
Countermeasures: Salt and Stretching
To prevent this, the following measures are taken.
- Salt: Mix a random string (salt) into the password before hashing.
- Stretching: Repeat hashing thousands to tens of thousands of times. By taking time for calculation, brute force attacks are delayed.
Currently, it is standard use algorithms called Bcrypt or Argon2 that do these automatically.
Frequently Asked Questions (FAQ)
Q. Can't I use MD5?
A. Yes, it is deprecated for security purposes. MD5 is too fast in calculation speed and weak against brute force attacks, and an attack method to find "collision (generating the same hash value from different data)" has been established. SHA-1 is similar. Currently, let's use SHA-256 or higher, or Bcrypt.
Q. Is there a site that "notifies" me of the forgotten password?
A. If there is a site that sends "Your current password is XX" by email, you should withdraw and change your password immediately. It is evidence that the site saves passwords without hashing (or saves them with encryption that can be decrypted), and security awareness is extremely low. Originally, only "Password Reset" should be possible.
Summary
Hashing is "unsung hero" supporting trust in digital society. We are not usually conscious of it, but every time we log in, update an app, or send cryptocurrency, hash functions are working in the background.
If you use Jenee's tool, you can hash your favorite words and see their "irreversible appearance". Please try it.
Hash GeneratorGenerate cryptographically secure MD5, SHA-1, and SHA-256 hashes.Related Articles


