Hashing is irreversible. It transforms your text into a unique fixed-size fingerprint. Impossible to retrieve the original text. Everything is calculated locally in your browser.
Why is bcrypt different? MD5/SHA compute in microseconds — bcrypt intentionally takes ~100ms (cost 10). An attacker trying millions of passwords will be thousands of times slower. SHA-256 of a common password can be cracked in seconds. bcrypt resists much better.
Encryption is bidirectional. With the right key, the original message can be recovered. Without the key, the content is unreadable. Choose an algorithm family.
Same key to encrypt and decrypt. Share the encrypted message freely, but transmit the key only via a separate and secure channel.
How it works (AES-GCM)? Your key is derived via PBKDF2 (100,000 iterations). A random salt and unique IV are generated on each encryption. The Base64 result contains: salt (16 bytes) + IV (12 bytes) + encrypted data. Without the key = unreadable.
Three often-confused concepts: hashing is irreversible (fingerprint), encryption is reversible with a key, encoding (Base64, Hex) is not security — anyone can decode.
| Algorithm | Size | Status | Recommended use |
|---|---|---|---|
MD5 | 128 bits | Deprecated | Non-critical file integrity only |
SHA-1 | 160 bits | Obsolete | Avoid — collision demonstrated in 2017 |
SHA-256 | 256 bits | Standard | Signatures, integrity, JWT, Bitcoin |
SHA-512 | 512 bits | Robust | High security, critical files |
bcrypt | Variable | Passwords | Only reasonable option for storing passwords |
Why do "MD5 decryption" sites work? They don't decrypt anything. They've pre-computed millions of common hashes (rainbow tables). If your text is common, they find it. If it's unique, impossible. bcrypt with random salt makes these tables useless.
| Algorithm | Status | Key points |
|---|---|---|
AES-256-GCM | 2024 Standard | Encryption + message authentication. NIST recommended. Used by TLS 1.3, WhatsApp, Signal. |
AES-256-CBC | Valid | Older, no built-in authentication. Very widespread (legacy). |
3DES | Deprecated | Triple DES. Slow, short key. Still in some old banking systems. |
ChaCha20-Poly1305 | Modern | Alternative to AES, faster on mobile/CPU without hardware acceleration. TLS 1.3, WireGuard. |
RSA limitation: RSA can only encrypt short messages. In practice (HTTPS, emails), an AES key is encrypted with RSA, then the data with AES — this is hybrid encryption.
✅ AES-256-GCM to encrypt data, messages, files.
✅ bcrypt to store passwords in database.
✅ SHA-256 to verify integrity of a downloaded file.
✅ HMAC-SHA256 to authenticate API requests or webhooks.
✅ A good key = 12+ characters, uppercase + lowercase + digits + symbols.
✅ Transmit the key and encrypted message via separate channels.
❌ Never use MD5 or SHA-1 for passwords.
❌ Don't confuse Base64 with encryption — it's just encoding.
❌ Never send key + encrypted message together in the same message.
❌ Never store an RSA private key in a publicly accessible location.