Skip to content

Base64 is Not Encryption: Stop Hiding Secrets in Plain Sight

I see this all the time in configuration files or old code: a password or an API key that looks like a bunch of gibberish, like SGVsbG8gV29ybGQ=.

"Oh, it's encrypted," someone might say.

But it’s not! It’s just Base64 encoded. Anyone with a terminal or a web browser can turn that gibberish back into plain text in about two seconds.

The Big Picture: Encoding vs. Encryption

[ Plain Text ] --( Encoding )--> [ Gibberish ] --( Decoding )--> [ Plain Text ]
   "Secret"       (No Key Needed)  "U2VjcmV0"     (No Key Needed)    "Secret"

What is Encoding? (Base64)

Encoding is like writing your name in Cursive or Morse Code. It's a way to change the format of the data, but it doesn't hide the meaning.

We use Base64 to turn binary data (like an image) into text, so it can be safely sent over systems that only understand text (like email or JSON).

What is Encryption? (AES, RSA)

Encryption is like putting your name in a locked safe. You need a Key to get the meaning back. Without the key, the data is mathematically impossible to read.

Wait, but why do people get confused?

Because both result in "gibberish" that humans can't read at a glance.

  • Base64 always uses a specific set of 64 characters (A-Z, a-z, 0-9, +, /) and often ends with one or two = signs.
  • Encryption usually looks like completely random noise and doesn't have a predictable pattern.

Common gotchas

  • I always forget that Base64 increases file size by about 33%. If you encode a 1MB image, the resulting text string will be about 1.33MB!
  • Watch out for "Obfuscation": Sometimes people use Base64 to hide things from casual observers. This is fine for preventing accidental spoilers, but it is not a security measure.

Try it yourself

You can decode any Base64 string in your terminal right now:

echo "SGVsbG8gV29ybGQ=" | base64 --decode
(Spoiler: It says "Hello World")

Further reading

— Nadeem 🔡

Comments