-2

Now this may seem like a stupid question, but it just occurred to me: How secure is base64 encoding compared to (plain) hashing?

Nobody can read base64 code by itself, but it still isn't that hard to decode it:

atob("SomePasswordInBase64");

I'm wondering if it has ever been used widely in securing applications (SQL, etc.) instead of hashing.

How secure is base64 encoding compared to hashing without salt?

Parking Master
  • 279
  • 2
  • 10
  • 1
    I googled your bolded question: https://www.google.com/search?q=how+secure+is+base64+encoding+compared+to+hashing+without+salt The hits provide everything you would need to know. Please make sure to do at least a little research before asking questions. – schroeder Jul 29 '23 at 09:51
  • "it still isn't that hard to decode it" -- not difficult in any way: https://www.base64decode.org/ There is no barrier, impediment, or particular skill required to decode an encoding. – schroeder Jul 29 '23 at 09:55
  • @schroeder lol, okay, just found https://security.stackexchange.com/questions/194646/is-it-okay-to-save-passwords-as-base64-strings-with-no-other-hashing-or-encrypti and it's basically what I asked – Parking Master Jul 29 '23 at 13:18
  • ... which was the top hit for your google search term. And is the duplicate I linked above. So, I'm unsure what your point is... Please make sure to do at least a little research before posting... – schroeder Jul 29 '23 at 13:47
  • @schroeder ok, thank you. I will make sure to next time – Parking Master Jul 29 '23 at 14:34

1 Answers1

4

How secure is base64 encoding compared to hashing without salt?

Base64 does not provide any security at all. It is simply a defined mapping of 3x8 byte to 4x6 byte and intended for cases where the underlying layer is not 8 bit clean - like for E-Mail transport, to represent binary data in JSON, as part of a URL string etc. It is trivial and cheap to get the original data back from a base64 encoded string - that's the very purpose of base64.

Hashing (even without salt) is instead a one-way operation, i.e. it is not possible to directly get the original data back. It can only be done with brute-force or by using a previously created dictionary of mappings between original value and hashed value (like hashing of common passwords).

I'm wondering if it has ever been used widely in securing applications (SQL, etc.) instead of hashing.

Base64 was only used for securing applications instead of hashing by developers which did not understand that base64 does not provide any security at all. Unfortunately, there were such cases but fortunately not widely.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465