Hashing vs Encryption vs Tokenization
Learn the difference between hashing, encryption, tokenization, and masking, including when to use each technique for passwords, PII, payment data, logs, and compliance.
What You Will Learn
- What hashing is.
- What encryption is.
- What tokenization is.
- How masking differs from protection at rest.
- Which technique to choose for common data types.
Introduction
Hashing, encryption, tokenization, and masking are different tools.
Choosing the wrong one can create serious security problems.
Quick Comparison
| Technique | Reversible? | Common Use |
|---|---|---|
| Hashing | No | Password verification |
| Encryption | Yes | Sensitive data storage |
| Tokenization | Yes through token vault | Payment and PII references |
| Masking | Not protection by itself | Safe display and logging |
Hashing
Hashing converts data into a one-way value.
Use hashing for passwords.
password -> BCrypt hash
Never encrypt passwords for later decryption.
Encryption
Encryption protects data that must be read later.
Examples:
- Tax ID.
- Account number.
- Medical identifier.
Use strong key management.
Tokenization
Tokenization replaces sensitive data with a token.
4111111111111111 -> tok_card_abc123
The original value is stored in a secure token vault or managed provider.
Masking
Masking hides part of a value for display.
[email protected] -> v***@example.com
Masking is useful for logs and UI, but it is not the same as encryption.
Decision Guide
| Data | Recommended Technique |
|---|---|
| Password | BCrypt or Argon2 hash |
| API key storage | Hash for verification or encrypt if retrieval is required |
| SSN | Encrypt and mask on display |
| Credit card | Tokenize with compliant provider |
| Logs | Mask or redact |
Summary
Use hashing for one-way verification, encryption for sensitive values that must be read, tokenization for substituting high-risk data, and masking for safe display.
Learning Path Navigation
- Series home: Spring Security Learning Path
- Previous: Secrets Management using AWS Secrets Manager
- Next: PII Data Masking in Java Applications
Comments
Share a question, correction, or practical insight about this article.
Checking login status...
Loading approved comments...