Posted April 24, 2008 and filed under Security, Technology    tags:  , ,

At a customer site this week I overheard the discussion "that password is base64 encrypted"... Ugh, my ears started burning.  There is no such thing as base64 encryption, and the mere idea that some people even use this expression drives me crazy.  Nothing like the illusion of security.

The term Base64 refers to a specific MIME content transfer encoding. It is also used as a generic term for any similar encoding scheme that encodes binary data by treating it numerically and translating it into a base 64 representation.

Wikipedia, 19 April 2008

If you ever needed to "un-encrypt" a base64 "encryption" you would have no trouble finding online/offline tools that could perform this task with ease.  So please don't confuse the difference between encoded and encrypted.

What was even more frustrating for me was when this customer wanted to use an online encoder to encrypt a service account to be used in production with a "password never expires" flag set.  So anyone watching/recording this session would know who the customer was and what password was encoded.  Fortunately I was able to convince them to (at the very least) use a cellular data card network connection to generate the password encoding.  This, however, led me to another (ongoing) frustration: 

Some operating systems (not Windows) choose to store passwords and what-not using this encoding method instead of an actual encryption method.  I can't imagine why this practice is still accepted in some operating systems as a way to protect sensitive information.  For that reason alone I would have a hard time running services on anything other than Windows.

But I digress...  Just remember, Tm8gU3VjaCBUaGluZyBhcyBCYXNlNjQgRW5jcnlwdGlvbg==

If you liked this article why not share it with others?

Kick it up to DotNetKicks.com

Comments

Add comment


(Will show your Gravatar icon)

biuquote
Loading