Why Base64 offers zero security, common mistakes developers make treating it as obfuscation, and what to use instead.
Base64 looks like this: SGVsbG8sIFdvcmxkIQ==
It's unreadable at a glance, so developers sometimes treat it as a form of security. It is not. Base64 is reversible encoding with no key, no secret, and no security whatsoever.
atob("SGVsbG8sIFdvcmxkIQ==") // "Hello, World!"
One browser console command. Any developer — or attacker — can decode it in seconds.
Storing passwords as Base64
user: admin
password: YWRtaW4xMjM= <- This is just "admin123"
"Hiding" API keys in frontend code
const key = atob("c2stbGl2ZV9zZWNyZXRfa2V5XzEyMw==");
// Anyone can open DevTools and see this
| Goal | Solution |
|---|---|
| Store passwords | bcrypt, Argon2, scrypt |
| Encrypt data at rest | AES-256-GCM |
| Transmit secrets | TLS (HTTPS) + server-side env vars |
| Hide API keys | Keep them server-side only |
Base64 is encoding, not encryption. Use it for format compatibility, not security.