• Null Pointer Club
  • Posts
  • Lock & Key: How Hashing and Encryption Keep Your Passwords Safe

Lock & Key: How Hashing and Encryption Keep Your Passwords Safe

Hashing vs. Encryption – What Every Developer Must Know About Password Storage

April 25, 2025

In partnership with

Security breaches are no longer rare events. Every month brings news of another compromised database or leaked credentials. For developers, this raises a critical question — how are passwords really protected? The answer often lies in two key concepts: hashing and encryption. While they both deal with transforming data into unreadable formats, they serve very different purposes in securing user data.

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

  1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

  2. Master AI tools, tutorials, and news in just 3 minutes a day

  3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

This edition of Nullpointer Club breaks down the differences between hashing and encryption, how they work in password protection, and which best practices to follow when building secure systems.

What Is Hashing?

Hashing is a one-way transformation of data. It takes an input (like a password) and returns a fixed-length string, known as a hash value. Hashing is deterministic — the same input will always result in the same output. But crucially, the process is irreversible — you can't "decrypt" a hash to recover the original password.

Use Case: Storing passwords securely.
Example Algorithm: SHA-256, bcrypt, Argon2.

Why It’s Ideal for Passwords:

  • You don’t need to recover the original password — only compare hashes.

  • Even if the hash is exposed, reversing it is computationally infeasible.

  • With salts (random data added to the password before hashing), hashes become unique, even for users with the same password.

Best Practices:

  • Always salt passwords before hashing.

  • Use a slow hash function like bcrypt or Argon2 to resist brute-force attacks.

  • Never use outdated hash functions like MD5 or unsalted SHA1.

What Is Encryption?

Encryption is a two-way process — data is encoded using a key, and can later be decrypted using the same (symmetric encryption) or a different key (asymmetric encryption). This makes encryption ideal for protecting data in transit or when you need to recover the original information later.

Use Case: Protecting messages, files, or stored data that must be readable again.
Example Algorithm: AES, RSA.

Why It's Not Ideal for Password Storage:

  • If encrypted passwords are leaked and the key is exposed, all passwords can be decrypted.

  • It's an overhead — you're storing sensitive data in a reversible format, increasing risk.

  • You don’t need to decrypt passwords — only verify them.

So Why Do Developers Still Confuse the Two?

Because both techniques disguise original data, the terms are often mistakenly used interchangeably. But for secure systems, the distinction matters:

Feature

Hashing

Encryption

Reversible?

No

Yes

Use case

Verification

Data recovery

Key required?

No

Yes

Ideal for

Passwords, checksums

Secure communication, data files

Real-World Implementation Tips

  1. Never store passwords in plain text
    This is a fundamental security flaw, yet some apps still do it. Always hash, and hash smart.

  2. Use industry-standard algorithms
    Don’t invent your own crypto or use outdated libraries. Use vetted tools like bcrypt with a proper cost factor or Argon2 for modern systems.

  3. Add a unique salt per user
    A salt prevents pre-computed hash attacks (like rainbow tables). Libraries like bcrypt handle this internally.

  4. Hash comparisons on login
    When a user logs in, hash the password they provide and compare it to the stored hash. No decryption necessary.

  5. For sensitive data (not passwords), use encryption
    If you need to retrieve the original data — say credit card info or user preferences — use strong encryption like AES-256 and store keys securely.

hashing vs encryption

Caution: Where Encryption Goes Wrong

  • If you encrypt passwords for “recovery,” you're creating a vulnerability. There's no safe reason to recover a user's password — always let them reset it.

  • Leaked encryption keys = exposed user data. If your key storage isn’t robust, you're better off not using encryption at all.

Signal Boost: Fresh Breakthroughs and Bold Moves in Tech & AI

Stay ahead with curated updates on innovations, disruptions, and game-changing developments shaping the future of technology and artificial intelligence.

OpenAI's Enhanced Image Generator Now Accessible to Developers. Link

  • OpenAI has released its upgraded image generation model, "gpt-image-1," to developers via its API, enabling integration into various applications and services. ​

  • The model can create images in diverse styles, follow custom prompts, incorporate world knowledge, and accurately render text, offering versatile applications across multiple domains. ​

  • Companies like Adobe and Figma are integrating "gpt-image-1" into their tools, enhancing creative flexibility and enabling users to generate and edit images using prompts. ​

  • Other companies, including Canva, GoDaddy, and Instacart, are exploring applications of the model, indicating widespread industry interest in AI-driven image generation. ​

  • Initially, "gpt-image-1" is accessible through OpenAI's Images API, with plans to extend support to the Responses API in the future.

Mozilla Introduces Open-Source Tools to Facilitate Ethical AI Dataset Creation. Link

  • Mozilla has released new open-source tools aimed at assisting developers in building AI datasets that adhere to ethical standards and avoid the use of copyrighted material.

  • These tools are part of Mozilla's broader initiative to promote ethical AI development by providing resources that help prevent the incorporation of biased or unauthorized content into AI training datasets. ​

  • By offering these tools, Mozilla seeks to empower developers to create AI systems that are transparent, fair, and respect intellectual property rights, thereby fostering trust in AI technologies. ​

  • The initiative underscores Mozilla's commitment to open-source principles, ensuring that the tools are freely available for modification and distribution, encouraging community collaboration. ​

  • Through these efforts, Mozilla contributes to the development of responsible AI by providing practical solutions that address common ethical challenges in AI dataset creation.

Summary

When it comes to passwords, hashing is your go-to. It's secure, irreversible, and purpose-built for password verification. Encryption has its place, but not in password storage. Understanding when and how to use each technique is essential for building secure systems and earning user trust.

Until then, keep it hashed and stay safe.

— The Nullpointer Club Team

Reply

or to participate.