A virtual teacher who reveals to you the great secrets of Base64

Base64 encryption is a lie

Base64 encryption is a lie

You were told or you thought that the Base64 is an encryption algorithm? Achtung! This is not only erroneous, but also very dangerous, because Base64 is just an encoding algorithm that does not protect sensitive data in any way.

Remember!!! Everyone can decode a Base64 string just as easily as you encoded it. Some can decode it simply using a regular pen and paper.

Base64 is like a foreign language. Even if you do not speak it, you can use an online decoder to “translate” Base64 to text. Technically, it’s the same as translating Chinese into English using Google Translate. The only difference is that Base64 is much simpler and, unlike the machine translation, it never fails. Therefore, you cannot use Base64 to hide or protect sensitive information, such as passwords, tokens, private keys, or any kind of confidential information.

I published this article because according to a recent “Password-Storage Field Study” it turned out that 8 of 43 freelancers have chosen Base64 to “encrypt” passwords. It scares me that so many developers think that “Base64 is very tough to decrypt” or that “Base64 encoded passwords are considered encrypted because they are not stored as plaintext”. In addition, researchers discovered that many developers do not understand the difference between encoding, hashing, and encryption. So, let’s briefly describe each of them.

  • Encoding converts data into a “reliable” format to ensure that it will not be damaged during transmission. Encoding algorithms (such as Base64, Morse code, Punycode, URL encoding) are very simple and come down to the substitution of some characters by others. To get the original data it is enough just to reverse the substitution process.

  • Encryption “hides” data by protecting it with a password so that data can be viewed only by those who know the password. Encryption algorithms (such as AES, Blowfish, DES, Twofish) are designed to protect secret data and ensure that even if encrypted data is stolen, it will not be accessible to unauthorized persons, since they need the password to decrypt it.

  • Hashing computes a unique “identifier” for the data provided, which most often is used to check the data integrity. Hash algorithms (such as MD5, RIPEMD-160, SHA-512, Whirlpool) are one-way functions that do not have a reversible algorithm, therefore, no one can get the original data only on the basis of the provided hash. The only way to guess original data is to crack the hash using brute-force.

I know, these definitions are too vague, but the idea is to show the difference between them. That’s why I strongly recommend you to go deeper and read at least the following Wikipedia articles:

If you’re a regular user looking for a Base64 encryption tool, check out the Base64 encoder and, please, never mention that erroneous words. If you are a developer, don’t forget that security is paramount and always pay more attention to it. If you are a professional who knows how to improve this article, feel free to ping me. If you find this article useful and want to make the web a bit more secure — spread the word and share the knowledge. If you know an instructive story about Base64 encryption, please don’t be selfish :)

Comments (45)

I hope you enjoy this discussion. In any case, I ask you to join it.

  • DavidAArteaga,
    2a3f+6439+5387+4892+636f+f1bd+779d+c3a0= uh, guess I did this right but what do you do with this afterwards. Be awesome if those numbers went into my bank account ? I've probably found thousands of these embeded Mal. Ali.
  • zorgos,
    What do you think about this :
    https://github.com/base64encrypted/php_base64encrypted
    Is it encrypted or encoded?
    • Administrator,
      Yeah! The source code looks almost encrypted :)

      As for the algorithm, I did not analyze it, but even if it is an encryption algorithm I would not trust it.
      • zorgos,
        I don't think aes is easier to read ;)
        https://sebsauvage.net/paste/?36a4754464ed1d34#tucc+ZxbYliC/LA+tqEvils2sUuhDQr6ELGoizVD89A=
        • Administrator,
          This one is weaker because it has human-readable variables and this makes decryption easier :)

          By the way, do you know any details about php_base64encrypted? Maybe some in-depth reviews or thoughts?
          • Allegan,
            The substitution block is a part of the AES standard and in no way makes it weak. This is how it is designed to be. They are called magic numbers. Plain values with no special meaning meant to help obfuscate the plaintext further.
            • Administrator,
              Hey, Allegan! I was having fun about the source code, not about the algorithm. If you compare both links provided by Zorgos, you will notice how hard-to-read is the first one that contains many confusing variables, unexplained numbers, jumbled long lines, and a lot of inline expressions. All this makes the code look like a solution based on security through obscurity and you should spend more time in order to understand what is going on there. Although I don't rule out that it may be a really good algorithm.
  • zorgos,
    No body understand...
  • KoenigsKind,
    Well, you could argue that Base64 is an encryption, just as much as ROT13 is one. As long as any person seeing the ciphertext has no knowledge about Base64, the information is quite well hidden. The only problem is, Base64 is widely known and really easy to identify as Base64 encoded data.

    A better idea would probably be, to "encrypt" data using Base58 which looks a lot like Base64 :D
    • Kameratarra,
      Base58 in this case would merely be security through obscurity, which is not really secure at all.
  • Aless,
    Come posso decifrare questo messaggio?
    Grazie ☺️

    hT2fnEK8WqptVGWL
    hT2fnEK8WqptVGWtLF83W5S3EVU>dHet
    HLY_>W3
    JG=AJ54 CYh9avte4ggVt.
    9UHOU_EQ8&dETW9q>erT4K9_IS?GrGJ?
    dBRw9
    E
    9dR'CTCKétK:vaGZ88tV2fEK=s8Wvu5VGW
    t+OD5TNV8dEytU&>EVvEX4JF
    G5S!CV:aHp et T7Y,
    9W0JGaQ5aEYB99au894/TtM.9UR?
    JqrGJ8aHdE>609eCT4NL9ILOGtEGItd_W0G;
    ZK9
    • venkatareddy,
      warjnininibuubbiniby6guvxwzwzeunoomibtu6tubj
  • Newbee,
    Hi, I've changed my bank password for split609eCT4NL9ILOGtEGItd_the9W0JGaQ5aEYB99au894__9W0JGaQ5aEYB99au894.
    Do you think I could post it on the web for an answer ?
    Thanxx anyway for your nice site bro, you have a beautiful job^^
    Newbee
  • excellent,
    Do you like Mr.Freeze ?
  • MooseBoys,
    Nonsense - you'll never break my encryption!


    V0VBVEhFUiBSRVBPUlQgMDYwMCBFTkdMSVNIIENIQU5ORUwgT1ZFUkNBU1QgV0lORCBORSAxMiBLUEggU0VBUyAyNSBETSBURU1QRVJBVFVSRSA5IERFR1JFRVMgSFVNSURJVFkgNTAgUENUIFZJU0lCSUxJVFkgMjAgS00=
    • 333,
      @MooseBoys your code had an error it should have had more balance :-)
      WEATHER REPORT 0600 ENGLISH CHANNEL OVERCAST WIND NE 12 KPH SEAS 25 DM TEMPERATURE 9 DEGREES HUMIDITY 50 PCT VISIBILITY 20 KM
    • user,
      yeah bc its just a in-depth weather
      report
      but...that might give us a clue?
      hmm...oh! maybe it blew into the
      reporters face who was giving the
      report! i love how this site is both
      logical and hilarious, i vote 10/10
  • Hikaru,
    0L/RgNC40YXQvtC00Lgg0LIg0LDRgNC60LDQtNGDINC90L7Rh9GM0Y4=
  • hgstyle,
    Basically, when you need a password to encrypt data, its safe.
    If its not asking for a password to "encrypt" data, and you can do the reverse task,
    then its not safe and anyone can decrypt this easily in 1 second.
    • Esurchre,
      This is not always the case. Hashing algorithms secure the data without needing a passphrase, and some environments use randomly generated bits to encrypt with (for example, PHP Laravel uses the APP_KEY from the .env file for encryption).

      To explain it better; base64 is a different base. Just like decimal (base10) and hexadecimal (base16).

      If you convert the decimal number 28 into hex it becomes 1C.
      If you convert the hex number 1C to decimal, it becomes 28, again.

      This is what base64 does; decimal 28 becomes base64 b, and the other way around.
  • user,
    As a matter of fact,no,Base64 is not a way
    to encrypt data,however,it cant encrypt
    something alone. what i mean is,1. if you
    take Base64 , 2. hand-convert it to letter-
    place value in Base64,and finally,3. convert
    the Base64 letter-place values to decimal,
    the ascii that comes back will mostly be (bc of decimals rules)nonexistent
    (a whitespace),or,not make any sense
    (a punctuation,a symbol,or,both visually
    and logically,nonsensically placed,or,even
    completly incorrect letters) and,if you want
    to make it endless pain and suffering all for
    no point for certain types of hackers,make
    whats encoded to Base64 not even the
    password(i'm 90% sure this will make them
    rage-quit at trying to decrypt the whole
    thing).
    • user,
      user Edited page July 16th 2023:

      (this ^ is here bc idk if the site adds this
      automatically)

      for those of you who are curious about
      the in-depth process,this edit addresses
      said process:

      so the Decimal to ASCII conversion
      rule is: anything from 0-32(in Decimal)
      is nonexistent in ASCII.

      While Base64's rule is: anything from
      0-25 is a U-case letter(0=A [and so on]
      ,anything from
      26-51 is L-case letter(26=a [and so on]
      ,52-61 is numeric(52=0 [and so on]),
      (62-63=+-/

      if you notice,Decimal can-if Base64 is
      turned into place-value-cause a large
      portion of data loss based on how
      many characters have a place-value
      within 32 (removing all U-case and from
      a-g in L-case) making this a potent
      form of encryption,

      p.s:the more legit and less obvious that
      it there is more complicated steps
      involved,the more pain they have to go
      through.
  • Лев,
    Base64 - is not for encryption at all - it is just encoding for transferring data using symbols, then will give no problems on any step.

    For example in earlier protocols symbols from #0 to #27 was special symbols, and if they appear in data stream - it was a command, like #26 - is End_Of_File
  • gBqsPxAZ,
    -5 OR 881=(SELECT 881 FROM PG_SLEEP(15))--
  • nqhXncMU,
    -1; waitfor delay '0:0:15' --
  • nqhXncMU,
    -5 OR 318=(SELECT 318 FROM PG_SLEEP(15))--
  • nqhXncMU,
    0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z
  • nqhXncMU,
    1
  • nqhXncMU,
    -1" OR 2+358-358-1=0+0+0+1 --
  • gBqsPxAZ,
    -1 OR 2+744-744-1=0+0+0+1 --
  • gBqsPxAZ,
    PapmJd1F') OR 644=(SELECT 644 FROM PG_SLEEP(15))--
  • gBqsPxAZ,
    t5cxW0SN'; waitfor delay '0:0:15' --
  • gBqsPxAZ,
    if(now()=sysdate(),sleep(15),0)
  • gBqsPxAZ,
    1
  • nqhXncMU,
    555'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'
  • ncMUFCMU,
    z1MTdWJM')) OR 888=(SELECT 888 FROM PG_SLEEP(15))--
  • nqhXncMU,
    -1)) OR 943=(SELECT 943 FROM PG_SLEEP(15))--
  • ncMUFCMU,
    -1' OR 2+225-225-1=0+0+0+1 --
  • ncMUFCMU,
    -5 OR 448=(SELECT 448 FROM PG_SLEEP(15))--
  • John,
    Written by a novice? The reason you would use Base64 is for data transfer. But you encode the 'encrypted' data, which contains bytes that cannot usually be transferred over plain-text formats. Then you unencode it on the other end, and unencrypt that. :o
    I mean you are right but you are just understanding 1/2 of it..
    • Hey,
      Ok,also for a quick refrence,the user person here,srry for that,i was still learning the stuff at the time of writing that?,i recently,however now,found a uniqe method to encrypt your stuff via basic b64 converters...

      However...its not very known about so idt i'll say it
  • Hey,
    Error correction btw,i meant hash your b64 data,though the only way i found that out was through a person who posted 2 b64 strings sniffed from something and messed around with it then ?
    • Hey,
      Also,i couldn't tell you what my brain was thinking before now bc i forgot it all XD
      • Hey,
        Now then,that ive read through my statement from before,mainly what i was saying was you could use multiple encoding formats to obfuscate data and then store data in the string that ppl find,which makes it hell for them and if its meant to be a distraction,then there not going to go for it again :)
  • Hey,
    Also,the benefit of having a password obfuscated heavily through a reversible setup makes it so that the normal humans irritation tolerance and motivation is broken before they manage to break through the obfuscation,unless,of course,you have the mental willpower of graystillplays...of course...-_-
Add new comment

If you have any questions, remarks, need help, or just like this page, please feel free to let me know by leaving a comment using the form bellow.
I will be happy to read every comment and, if necessary, I will do my best to respond as quickly as possible. Of course, spammers are welcome only as readers.