Hashing vs. Encryption: Definitions & Differences
Encryption techniques protect data in motion. Hashing protects data at rest.
Combining these strategies could, in theory, put a strong security boundary around critical assets. But both come with risks and benefits you should know about.
Encryption & Hashing: Simple Definitions
Tally up all the sensitive information sitting on your server right now. Add in all the data you pass back and forth with customers, clients, and contractors. How do you keep everything safe?
Some people use the terms encryption and hashing simultaneously. While it's true that they're both used to safeguard information, they do so in very different ways.
Consider these basic definitions:
- Encryption scrambles data that can be decoded with a key. The intent is to pass the information to another party, and the recipient will use keys to decipher the data.
- Hashing also scrambles data, but the intent is to prove its authenticity. Administrators can run a check on hashed data to determine the contents haven't been touched or altered while in storage. No deciphering key exists.
Both methods involve shielding something sensitive from prying eyes. But clearly, they have different goals and core functions.
How Does Encryption Work?
Encryption involves a temporary scramble of important information. The recipient gets unreadable data, but a key to transcription clears up confusion. Put them together, and the meaning of the message becomes clear.
Close to 40 percent of companies have an enterprise-wide encryption strategy in operation, and every year, that number rises. The practice is especially critical in business sectors that deal almost exclusively with private data, such as:
- Credit unions
- Insurance companies
Password encryption is remarkably widespread. Most consumers assume that the login details they share are protected as soon as they type them in.
Encryption is so widely accepted, in part, because these techniques have been with us for hundreds of thousands of years. In early Egypt, for example, scribes preserved key information with hieroglyphics, and only those who knew the translation code could determine what each phrase actually said.
At its core, encryption is remarkably simple. Information moves from one party to another in an illegible state, and it's translated on arrival.
End users typically don't need to seek out encryption keys, but the data must pass back and forth. Typically, the user's system sends a query to the other party. In response, that party sends back a copy of the security certificate that contains a decode key.
Common Encryption Techniques
Encryption involves transforming data into a method that can't be read without a key of some sort.
In the past, people used simple techniques that scrambled messages via:
- Shifting. Code builders select a number, and they shift all letters of the alphabet accordingly. To decode the message, the recipient shifts the values back.
- Substituting. An alternate alphabet is created, and the message is scrambled according to those rules. The recipient uses the code to transform the message into a legible state.
- Symbols. The regular, readable alphabet is replaced with numbers or symbols. The recipient uses the code to transform the text on receipt.
These methods are crude, and they're remarkably easy to break. As soon as you have determined the rules that underlie the scramble, you can read the note. Modern techniques are different.
Codes used to translate encrypted documents are known as ciphers, and two main types exist.
- Symmetric ciphers use one key variable that both the sender and the recipient have. This cipher could be a word, a number, or a combination of both. Those who have this one key can scramble data, and they can decode data sent to them in this hidden state.
- Asymmetric ciphers use two key variables. One is a public key everyone who uses this cipher knows and understands. The other is a private key that's typically exchanged over the internet or a large network. Put them together, and they are much harder to hack.
Use symmetric ciphers, and the decoding process moves very quickly. Asymmetric ciphers take longer to process, and users can experience delays.
Modern encryption products include:
- Advanced Encryption Standard (AES). A sophisticated algorithm transforms plain text into a series of letters and numbers, and the process is repeated multiple times to ensure complete encryption.
- Twofish. This symmetric cipher uses a single key for both encryption and decryption. The developers built the system in 1998 in response to calls from the National Institute of Standards and Technology for more secure encryption types. Twofish is a fast system, and it's made for network applications that require frequently changing keys.
- Pretty Good Privacy. This software is based on an open standard, and it uses several steps to both encrypt and decrypt data. Developers continue to work on the system, adding new features to the algorithm in response to attacks.
This is a sampling of all the encryption products available. There are many more. In fact, some enterprising developers build their own to address specific vulnerabilities in their company systems.
How Hashing Works
Hashing involves scrambling data at rest to ensure it's not stolen or tampered with. Protection is the goal, but the technique isn't built with decoding in mind.
Consider a company with scores of usernames and passwords on file. Since customers often use the same passwords for multiple logins, an exposure of data could lead to multiple privacy concerns. A password hash system could protect all of those passwords from hackers while insuring those points aren't tampered with before they're used again.
Hash encryption like this doesn't anonymize data, although plenty of people believe that it does. Instead, it's used to protect this data from those who might misuse or alter it.
A typical hashing protocol doesn't come with an automatic translation key. Instead, the process is used to determine alterations, and the data is stored in a scrambled state.
Hash work is done by a computer algorithm, and once the data has been transformed, it can't be returned to the original state.
Common Hashing Algorithms
All hashing algorithms work in a similar manner. Users input sensitive data, and the system churns through and renders that information ineligible. But not all systems are created equal.
Hashing algorithms include:
- MD-5. MD5 is simple, quick, and free to use. It's among the most widely used hash algorithms available, but it's also ripe for hacking. Some experts encourage all companies to pick another method to protect data, but they say about a quarter of all major content systems continue to stick with MD5.
- Secure Hash Algorithms (SHA). The National Institute of Standards and Technology published the first SHA algorithm in 1993. Each new release is followed by a number, such as SHA-0 and SHA-1. In general, the higher the number, the more secure the algorithm.
- Tiger. This algorithm was published in 1995, and it's made for use on 64-bit platforms. It randomizes data in 24 rounds, and it's considered remarkably secure.
Some companies offer further hash strengthening with a technique called salting. Companies that do this:
- Add something. This involves adding a string of unique, random characters to the data they must protect.
- Hash the whole string. The original data with the salt addition moves through the algorithm.
- Store securely. Companies place the salt value on the site, along with the hashed data.
- Repeat. Companies can salt data more than once to offer deeper protection.
Salting is most effective, experts say, when companies use a different salt string for each data point. A password salt, for example, won't be as helpful if each password has the same set of random characters attached. As soon as a hacker figures out that code, all passwords are vulnerable.
Compare & Contrast: Encryption vs. Hashing
Both hashing and encryption scramble data to protect it from hackers. But the way the data is scrambled, and what happens with it after encoding, is different.
Protect during transport
Protect while in storage
Type of key
Public and private
Used for passwords?
Yes, while in transit
Yes, while in storage
If security is the goal, which system works better? Unfortunately, they both have deep vulnerabilities.
Password hashing problems became evident for Poshmark in 2019 when hackers broke through the codes and exposed a significant amount of user data. Poshmark executives told consumers they should change their passwords across their digital lives, especially if they had reused passwords from one site to another.
Breaking a hash means running a computer algorithm through the codes and developing theories about the key. It should be impossible, but experts say some programs can churn through 450 billion hashes per second, and that means hacking takes mere minutes.
Encryption also comes with vulnerabilities. Only about 4 percent of encryption breaches are secure, in which the data is rendered useless. In all other cases, stolen files are quickly decoded and ready for use by thieves.
It's possible that some companies apply encryption for compliance only, so they don't test and alter their systems to prove they work. But it's also possible that encryption isn't as sophisticated as some might hope.
Which Should You Choose?
Answering the question of encryption vs. hashing isn't easy. Protection is the goal, but knowing where to begin can be a challenge.
Consider the data you must protect. Will it:
- Travel? You probably need encryption to keep it secure as it moves from your server to another.
- Remain in storage? You need hashing to ensure that it can't be touched by someone who enters your server with nefarious plans.
Know that you can combine hashing and encryption techniques too. You might use hashing to protect password data on your server, but then you lean on encryption to protect files users download once they have gained access.
Experiment with the systems and methods that keep your data safe and secure. And know that Okta is here to help.
We specialize in security solutions for businesses both large and small. Deploy our solutions out of the box, or let us build something that is right for you and your industry. Contact us to find out more.
Encryption: More and More Companies Use It, Despite Nasty Tech Headaches. (April 2015). ZD Net.
History of Encryption. (January 2002). Global Information Assurance Certification.
The Twofish Encryption Algorithm. (December 1998). Schneider on Security.
Does Hashing Make Data Anonymous? (April 2012). Federal Trade Commission.
A Quarter of Major CMSs Use Outdated MD5 As the Default Password Hashing Scheme. (June 2019). ZD Net.
Passwords and Hacking: The Jargon of Hashing, Salting, and SHA-2 Explained. (December 2016). The Guardian.
Password Hashing Does Not Guarantee That Your Data Is Secure. (October 2019). Kansas City Business Journal.
Four Cents to Deanonymize: Companies Reverse Hashed Email Addresses. (April 2018). Freedom to Tinker.
Businesses Fail to Apply Encryption Technology Effectively. (January 2019). Computer Weekly.
Encryption vs. Hashing. (December 2019). Medium.
A Lot of Companies Apply Encryption for the Wrong Reason. (April 2020). Techzine.