Hashing vs. Encoding vs. Encryption (and When MD5 Is Fine)
Last updated: 2026-06-13
Three operations get confused constantly, and mixing them up causes real security bugs. Hashing is one-way and irreversible. Encoding is reversible and provides zero security. Encryption is reversible only with a key. Pick the one that matches your goal, not the one that sounds strongest.
The three, in one line each
- Hashing — maps any input to a fixed-length fingerprint you cannot reverse. Use it to verify integrity and store password verifiers.
- Encoding (e.g. Base64) — repackages data into another format for transport. Anyone can decode it; it is not protection. The Base64 image tool simply reverses such encoding.
- Encryption — scrambles data so only a key can restore it. Use it for confidential data at rest or in transit.
Is MD5 broken? It depends what for
MD5 and SHA-1 are cryptographically broken: attackers can manufacture collisions (two inputs with the same hash). That rules them out for digital signatures or anything an adversary controls. But for non-security work — a checksum to spot a corrupted download, a cache key, deduplicating files — MD5 is fast and perfectly adequate.
When you need a hash to resist tampering, reach for SHA-256. The hash generator produces MD5, SHA-1, and SHA-256 side by side so you can match whatever a checksum file specifies.
Try the toolHash Generator (MD5/SHA-1/SHA-256/SHA-512)Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files instantly — computed in your browser, nothing is ever uploaded.Why you do not hash passwords with plain SHA-256
Fast hashes are the wrong tool for passwords precisely because they are fast — a GPU can try billions of SHA-256 guesses per second. Password storage needs a slow, salted algorithm built for the job: bcrypt, scrypt, or Argon2. The salt (a unique random value per password) stops attackers from cracking many hashes at once with a precomputed table.
This is why web servers use purpose-built schemes. When you create credentials with the htpasswd generator, it uses bcrypt rather than a bare hash for exactly this reason.
Choosing quickly
- Need to verify a file is intact and no attacker is involved? MD5 or SHA-256 checksum.
- Need tamper resistance or a signature? SHA-256, never MD5/SHA-1.
- Storing passwords? bcrypt, scrypt, or Argon2 with a per-password salt — not a raw hash.
- Need to recover the original later? That is encryption (with a managed key), not hashing.
- Just moving binary data through a text channel? That is encoding, e.g. Base64.
Frequently asked questions
Is MD5 secure?
Not for anything security-sensitive — it is vulnerable to collisions. It remains fine for non-adversarial checksums, cache keys, and deduplication, where speed matters and tampering is not a concern.
What is the difference between hashing and encryption?
Hashing is one-way: you cannot recover the input from the hash. Encryption is two-way: the original is recoverable with the correct key. Use hashing to verify, encryption to keep something secret yet retrievable.
Why can't I store passwords with SHA-256?
SHA-256 is too fast, letting attackers brute-force guesses at enormous rates. Passwords need a deliberately slow, salted algorithm such as bcrypt, scrypt, or Argon2.
What does a salt do?
A salt is a unique random value added to each password before hashing. It ensures identical passwords produce different hashes and defeats precomputed lookup tables.
Tools in this guide
- Hash Generator (MD5/SHA-1/SHA-256/SHA-512)Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files instantly — computed in your browser, nothing is ever uploaded.
- .htpasswd GeneratorGenerate .htpasswd lines for Apache and nginx basic auth — bcrypt or MD5-crypt hashes computed locally, your password never touches a server.
- JSON Escape / UnescapeEscape text for JSON strings or unescape JSON back to plain text — quotes, backslashes, newlines, and unicode handled correctly both ways.
- Base64 ⇄ Image ConverterConvert Base64 to an image and images to Base64 data URIs in your browser — instant preview, PNG, JPG, WebP and SVG support, nothing uploaded.