Base32 vs Base64 when humans, QR codes, or secrets are involved
Choose between Base32 and Base64 by looking at readability, transcription risk, and the workflows where each encoding is a better fit.
Tip
Decode a small sample first and confirm whether you are changing representation, changing structure, or actually protecting content.
Base64 wins when compactness matters more than manual handling. Base32 often wins when a human must transcribe, compare, or scan a secret without tripping over punctuation and mixed symbols.
That difference is why authenticator secrets and QR-related setup flows often reach for Base32 even though it is less space-efficient.
Summary
Definition: Base32 and Base64 are binary-to-text encodings with different alphabets and different tradeoffs between compactness and human handling.
Why it matters: Choosing the right encoding reduces copy mistakes, QR friction, and secret-entry errors.
Pitfall: A more compact encoding is not always the more usable one when the value must be read, typed, or shared through constrained channels.
Why Base32 shows up in secret-entry workflows
Base32 uses a restricted alphabet that is friendlier to manual handling. That makes it a practical fit for secrets that appear in setup screens, printed recovery sheets, or QR-backed onboarding flows. The tradeoff is length: the same underlying bytes need more characters than Base64.
That longer output is not a flaw if the workflow benefits more from readability than from compactness.
Why Base64 still dominates transport-heavy workflows
Base64 is denser and more common in protocol and payload transport. It is a natural default when a value is machine-to-machine, packed into headers, or moved in structures where size matters more than manual transcription comfort.
The practical takeaway is not “one is better.” It is that the audience of the encoded value matters.
- Choose Base32 for human-entered or human-reviewed secret material.
- Choose Base64 for denser transport where machines are the main readers.
- Choose Base64URL when the output must live safely in URLs or token segments.
A strong fit for new tools
Base32 pairs naturally with TOTP and otpauth URI work, so it belongs near those encoding flows. Treat it as a human-friendly encoding option, not as a replacement for encryption.
Quick example
Use this when a secret must be typed by a human during setup rather than moved invisibly between systems.
What to notice: This is a workflow decision, not a prestige contest between encodings.
Human-entered secret setup -> Base32 is often the calmer default.
Machine-to-machine payload transport -> Base64 is often the denser default.
Practical check
- Decide whether people or machines are the primary readers of the value.
- Prefer Base32 when transcription risk matters more than length.
- Prefer Base64 or Base64URL when compact machine transport is the real goal.
FAQ
Is Base32 more secure than Base64?
No. They are different encodings, not stronger and weaker protection schemes.
Why are TOTP secrets often Base32?
Because the alphabet is friendlier to human setup and scanning workflows.
Developer workflow
Use this guide as a representation check before you move bytes between an API, token, URL, or file format.
- Encode or decode a small sample first, not the production payload.
- Confirm whether the step changes only representation or changes the underlying structure.
- Keep the original and transformed values together until the receiving system accepts the result.
1. raw bytes or text
2. encode/decode for transport
3. decode back to confirm round trip
4. send only after structure still matches