warming up your workspace

Encoding vs encryption vs hashing, explained simply

Encoding, encryption, and hashing get confused constantly, and the confusion causes real security bugs (like "encrypting" passwords, or trusting Base64 to hide a secret). They solve three different problems. Here is the clear version.

Encoding: for format, not secrecy

Encoding transforms data into another format so it can be stored or transmitted safely, for example Base64 to put binary into text. It is fully reversible by anyone, with no key. Base64 is not security; it is the digital equivalent of writing in a different alphabet.

import base64
base64.b64encode(b"hello")   # b'aGVsbG8='  -> anyone can decode this

Use it for: moving data through channels that expect text (data URLs, JSON, email). Never use it to protect anything secret.

Encryption: for secrecy

Encryption scrambles data with a key so that only someone with the right key can read it. It is reversible, but only if you have the key. This is what protects messages, files, and traffic.

plaintext + key -> ciphertext   (and back, with the key)

There are two families: symmetric (same key to encrypt and decrypt, fast, for data at rest) and asymmetric (a public key encrypts, a private key decrypts, the basis of HTTPS). The golden rule: do not invent your own; use a vetted library.

Use it for: anything that must stay secret but be recovered later.

Hashing: for integrity, one way

A hash function turns any input into a fixed-size fingerprint, and it is deliberately not reversible. The same input always gives the same hash; a tiny change gives a totally different one. You cannot get the original back from the hash.

import hashlib
hashlib.sha256(b"hello").hexdigest()   # a fixed 64-char fingerprint

Use it for: verifying a file has not changed, storing passwords (with a slow, salted hash like bcrypt or argon2, never plain SHA-256), and de-duplication.

The mistakes to avoid

  • "We encrypt passwords." No. Passwords should be hashed (slow + salted), never encrypted, because you never need to recover the original, only check a match.
  • "Base64 hides it." Encoding is not encryption. Base64 protects nothing.
  • Plain SHA-256 for passwords. Too fast, so it is brute-forceable. Use a purpose-built password hash.

A simple way to remember: encoding is for format, encryption is for secrecy, hashing is for integrity.

See it by building it

These ideas stick when you implement them: encode and decode Base64 by hand, build a hash-based tamper check, and store a password the right way. The cybersecurity track walks through encoding, hashing, classical and modern crypto, and password cracking, all built and run in your browser. The first project is free.