Security Encyclopedia

Cleartext

Cleartext is information that is stored or sent in an unencrypted form. It is already in its expected form, consumable and readable.

Cleartext is sometimes conflated with plaintext, however there is a difference between cleartext and plaintext. Cleartext has not been subject to encryption whatsoever, and there is no expectation that it has been. Plaintext, the latter, specifically refers to information that is inputted into a cipher, or encryption algorithm. Ciphertext, for its part, is information that is unreadable once it has passed through a cipher or encryption algorithm.

Storing data in cleartext is an invitation to its theft, altering, destruction, unauthorized transmission, unsanctioned disclosure, and the like. The database or system where cleartext passwords are stored, for example, are often protected with passwords and other shared secrets such as one-time passwords (OTPs). Should the repository be compromised, finding data that is intelligible and actionable — as opposed to encrypted — makes the job of the unauthorized party that finds it all too easy.

Example:

“Data stored as cleartext, once accessed by an unauthorized party, can be viewed in its original form so it’s advisable — and in many circumstances legally required — to have stored data encrypted as another measure of protecting its confidentiality.”