Base64 vs Hex vs Base32: When to Use Each

Base64, Hex, and Base32 all do the same basic job: represent arbitrary binary data using only printable text characters, so it can travel safely through systems — email, URLs, JSON, config files — that weren't built to carry raw bytes. None of them provide any confidentiality; they're encodings, not encryption, and anyone can decode them with no key required. The difference between them is purely about size, alphabet, and where each is conventionally expected.

Hex — one byte, two characters

Hexadecimal maps each byte to exactly two characters from the alphabet 0-9a-f, so the encoded output is always exactly double the size of the input. It's the least space-efficient of the three, but its simplicity — one byte in, two predictable characters out — makes it the natural choice for things humans need to read or manually compare: hash digests (SHA-256, MD5), color codes, memory addresses, and byte-level debugging.

Base64 — the general-purpose default

Base64 packs 3 bytes of input into 4 output characters using a 64-character alphabet (A-Za-z0-9+/, with = padding), for roughly a 33% size increase — much more efficient than hex. That efficiency, plus near-universal library support, is why Base64 is the default for embedding binary data in text formats: image data URIs, JWT segments, email attachments (MIME), and API payloads that need to carry binary content inside JSON.

Base32 — case-insensitive and URL-safe by construction

Base32 uses a smaller, 32-character alphabet (typically A-Z2-7) at the cost of being about 60% larger than the original data — worse than Base64, but with a specific advantage: its alphabet avoids characters that are ambiguous when spoken aloud, hand-typed, or mixed up between upper and lower case (no 0/O or 1/Iconfusion). That's why it shows up in places meant for human transcription — TOTP secret keys (the codes you type in when setting up two-factor authentication), and some URL-shortener or filesystem-safe identifiers.

Quick decision guide

  • Need it compact and machine-to-machine only: Base64.
  • Need it human-readable for debugging (hashes, byte dumps): Hex.
  • A human will read or type it back in (2FA secrets, spoken codes): Base32.

You can convert between all of these with the Encrypt / Decrypttool's Base64 and Hex encode/decode modes, entirely client-side.

← Back to KeyForge