Base64 turns binary data into printable ASCII characters. That's it. It's a formatting change, not a security measure. The process is fully reversible by anyone — no key, no password, nothing.
Decode SGVsbG8gd29ybGQ= and you get Hello world. Every language has a one-liner for this. It takes less than a second.
Why people confuse it for encryption
Because it looks scrambled. A base64 string is unreadable at a glance, which feels like it's been protected somehow. It hasn't. The appearance of scrambling is a side effect of the encoding scheme, not a security property.
The confusion shows up most often when someone base64-encodes a password or API key before storing it in a config file or database. This is equivalent to writing your password in a slightly unusual font — it looks different but offers no protection.
Where base64 is actually useful
Base64 exists to solve a real problem: some systems only handle text, but data is binary. Email attachments, data URIs, JSON payloads — these all need a way to carry arbitrary bytes through channels that weren't designed for binary. Base64 is the answer to that problem.
It's also used as a transport layer inside actual security schemes. JWTs use base64url (a variant with different characters for URL safety) to encode their header and payload. That encoding isn't the security — the HMAC signature is. The encoding is just how the data travels.
The common mistake in code
This shows up constantly in code reviews:
// "encrypting" a token for storage
const stored = btoa(userId + ":" + secretToken);
Anyone who gets this value runs atob(stored) and gets the original string. The base64 provided nothing.
If you need to store something that shouldn't be readable — a token, a credential, a secret — you need encryption (AES-256-GCM is the current standard), not encoding. If you need to transmit it securely over HTTP, you need TLS. Base64 doesn't do either of those things.
Encoding vs encryption vs hashing
These are three different things that serve different purposes:
- Encoding (base64, URL encoding, hex): changes the representation of data, fully reversible, no key required. Use it for compatibility, not security.
- Encryption (AES, RSA): transforms data so it can only be recovered with the right key. Use it when data needs to be stored or transmitted privately and later retrieved.
- Hashing (SHA-256, bcrypt): one-way transformation. You can't reverse it. Use it for integrity verification and password storage.
The confusion between encoding and encryption is one of those mistakes that doesn't look wrong at first glance — the output is unreadable, after all. That's what makes it worth being explicit about.
Try it in the Base64 tool — encode something, then paste the output back in and decode it. No key required, as expected.