Compute secure cryptographic codes, hashes, or verify passwords 100% locally in your browser:
In modern web development, securing user data and verifying system communications is non-negotiable. However, developers frequently confuse basic cryptographic building blocks, using hashing where they should encrypt, or encryption where they need signature verification.
To build secure systems, you must understand three foundational primitives: **Hashing**, **HMAC (Keyed-hashing)**, and **Encryption**. Each is designed for a completely distinct security purpose.
1. Hashing (One-Way Data Fingerprints)
A cryptographic hash function takes an arbitrary amount of input data and compresses it into a **fixed-size, unique string of characters** (the hash). Hashing is strictly a **one-way function**—it is mathematically impossible to reverse the hash back to the original input.
Primary Use Case:
- Password Storage: Passwords must never be stored in plain text or encrypted formats. Instead, they must be hashed using slow, compute-intensive algorithms like bcrypt, Argon2, or PBKDF2. Check your bcrypt outputs locally with our Bcrypt Verifier.
- Data Integrity: Verifying that a file has not been altered during transfer (using MD5, SHA-1, or SHA-256 integrity checksums).
2. HMAC (Keyed-Hashing for Message Integrity)
HMAC stands for **Hash-based Message Authentication Code**. It combines a standard cryptographic hash function (like SHA-256) with a **secret cryptographic key**.
Unlike a standard hash which only proves data has not changed, an HMAC proves both **integrity and authenticity**. It demonstrates that the data was not modified *and* that the sender possessed the secret key used to generate the code.
Primary Use Case:
- API Webhooks: Webhook providers (like Stripe or GitHub) sign payload delivery bodies using a shared secret key, allowing your backend to verify that the request originated from them.
- JWT Signature Signing: JSON Web Tokens use HMAC signatures (e.g., HS256) to ensure the token contents cannot be manipulated by client-side browser agents.
3. Encryption (Reversible Data Privacy)
Encryption is a **two-way function** designed to keep data private. It scrambles readable plain text into unreadable cipher text using an encryption key, and allows individuals holding the correct **decryption key** to reverse the cipher back into its original state.
Encryption splits into two primary models:
- Symmetric Encryption (e.g., AES): Uses a single secret key to both encrypt and decrypt the data. Highly efficient for large databases or local storage disks.
- Asymmetric Encryption (e.g., RSA, ECC): Uses a public key to encrypt the data, and a separate, private key to decrypt it. Essential for secure internet communication handshakes (HTTPS/TLS) and SSH credentials.
Summary Comparison Matrix
| Primitive | Type | Reversible? | Secret Key Required? | Primary Objective |
|---|---|---|---|---|
| Hashing | One-way | ❌ No | ❌ No | Data integrity / Password safety |
| HMAC | One-way | ❌ No | ✅ Yes | Message authenticity / API signatures |
| Encryption | Two-way | ✅ Yes | ✅ Yes | Data privacy / Safe communications |
Frequently Asked Questions
- What is the main difference between hashing and encryption?
- Hashing is a one-way function that maps input data to a fixed-size string (a hash). It cannot be reversed. Encryption is a two-way function that secures data so it can only be read by someone possessing the correct decryption key.
- What is an HMAC used for?
- HMAC (Hash-based Message Authentication Code) uses a secret key combined with a cryptographic hash function to verify both the integrity of a message and its authenticity (confirming that the sender holds the secret key).
- Should I use encryption or hashing for password storage?
- Always use one-way hashing with a slow, salted algorithm like bcrypt, Argon2, or PBKDF2 for password storage. Never encrypt passwords, because if your encryption keys are compromised, attackers can decrypt and read all user passwords.