-1

The title I think gets the point across. Lets focus solely on these hypothetical situations:

  • Basic Auth headers when making API calls with user:pass
  • Storing passwords in an SQL database

What makes this secure in any way when its easy to tell Base64 is Base64 & then just decode it?

CodeSpent
  • 109
  • 5
  • Encoding an image into an ASCII stream? – miike3459 Feb 15 '19 at 23:47
  • Citation for Django ORM using base64? – AndrolGenhald Feb 15 '19 at 23:50
  • I'm going to update my post here, bare with me. Updated to keep focus on the question. – CodeSpent Feb 15 '19 at 23:51
  • 8
    What makes you think that base64 is used for security at all? It is not. – Greendrake Feb 15 '19 at 23:56
  • 2
    Why are you thinking that passwords are ever stored in a database using Base64? Is there something that made you think this might be acceptable? – AndrolGenhald Feb 15 '19 at 23:58
  • @AndrolGenhald having seen it in a few cases before, as well as in transit for API calls. If I found it acceptable, I wouldn't have asked this question, though. :) I hope people coming in can see that I'm new here & asking a question with the desire to understand. Misconceptions are best addressed through asking, rather than assuming. – CodeSpent Feb 16 '19 at 00:00
  • 4
    @CodeSpent I don't mean to nag, but you mentioned using SHA-256 to hash passwords before you edited the question. While better than merely encoding the plaintext, this is still pretty terrible. You can read [here](https://security.stackexchange.com/a/31846/151903) about how it's done properly, but most frameworks should provide an easy way to use Argon2, bcrypt, or at least PBKDF2. – AndrolGenhald Feb 16 '19 at 00:05
  • @AndrolGenhald I'm a novice with little to no knowledge. I come to these sites to get more direct answers than documentation gives (terminology gap), so apologies its just very common that people attack for me not knowing what I'm talking about when I don't pretend to. Thanks for the resource! As for the Django mention, this is regarding a project I've been brought into. Passwords are stored in Base64 and this seemed very wrong to me, which brought me here to make sure I was right to believe it was wrong. – CodeSpent Feb 16 '19 at 00:10
  • 1
    @CodeSpent Glad you came here to ask instead of assuming it was ok! You probably got downvoted because people come along every so often asking basic questions like this without doing much research beforehand. It looks like half your question is a duplicate of [this](https://security.stackexchange.com/q/29916), and the other half is a duplicate of [this](https://security.stackexchange.com/q/194646). – AndrolGenhald Feb 16 '19 at 00:15
  • For future readers, those 2 links above are what you want to look at. While the accepted answer is great, those are really in-depth. – CodeSpent Feb 16 '19 at 01:02
  • 8 years ago [why-do-we-use-base64](https://stackoverflow.com/questions/3538021/why-do-we-use-base64) – kelalaka Feb 16 '19 at 10:36

1 Answers1

6

I think you may have a misconception here; Base64 is not necessarily used to protect information. It has the advantage that it can convert mostly any type of byte encoding into a human-readable ASCII stream. This is extremely useful for sending, say, via email, like with an attachment or image in the email.

There's many cases where it's just used to mask information, but not necessarily protect it. For instance, if you view the source of, say, smore.com when logged in, you've got a whole bunch of hidden inputs that their servers use for stuff. They are encoded in Base64. One time I decoded some of this information. None of it was really bad - I mean, I was already logged in anyway. But it was just hidden so that others looking at your screen couldn't see it. I think there was also some special byte sequences in those, which may not be too friendly for POST requests.

So yes, I'd say it's useful as a low-level encoding used to convert byte streams into ASCII, and mask data from visibility, but not decoding.

miike3459
  • 176
  • 5
  • Well put, thanks. So when an API uses Basic Auth, its not actually secure in transit at all, its more of an illusion of security? – CodeSpent Feb 15 '19 at 23:54
  • 3
    @CodeSpent Security comes from using TLS. Even if it were hashed client side, without TLS anyone snooping could just submit the hash as if it were a password. – AndrolGenhald Feb 15 '19 at 23:56
  • 1
    @CodeSpent Sometimes, yes. – miike3459 Feb 15 '19 at 23:56
  • 1
    @CodeSpent And if you appreciated my answer, you can mark it accepted if you feel it answered the question :) – miike3459 Feb 15 '19 at 23:56
  • Yes it does, thank you! I am clearly misunderstanding what Base64 is meant for, but this gives me the direction to learn more myself. – CodeSpent Feb 15 '19 at 23:59