Hashing is a way to store passwords that cannot be read so that they can be used to access the system. By using random salt added to the password during hashing, the hashed password cannot be checked against a list of pre-hashed passwords. Hashing itself is related to encryption, but is a one way function. An entered password can be hashed and compared to the stored hashed password and if they match, authentication is confirmed.
Failure to properly hash passwords means if the password file or table is stolen, it can be compared to a precomputed list to find passwords for users.
It is expected that all passwords are hashed with a random salt before they are stored in a password file or table.
Encryption at rest ensures that data is encrypted when it is written to a storage medium. Hard drives or volumes on virtualized storage must be encrypted, and backup tapes also need to be encrypted. It is important to encrypt all removable media, including hard drives and USB sticks.
Encryption of the data at rest ensures that if the drives or tapes were stolen or lost, that the data would not be accessible to whomever is in possession of storage media.
Organizations dealing with highly sensitive data will require all data stored on non-volatile storage, hard drives, solid state drives, USB drives/sticks, network attached storage, or other such devices needs to be encrypted.
Most organizations will require devices such as laptops, external hard drives, and USB sticks to be encrypted, as these are the most often lost or stolen devices.
Additionally, if backup tapes are stored off site, or transported to a different site within the organization, these are also vulnerable to loss or theft and should be encrypted.