In principle, quantum key distribution (QKD) offers information-theoretic security based on the laws of physics. In practice, however, the imperfections of realistic devices might introduce deviations from the idealized models used in security analyses. Can quantum code breakers successfully hack real systems by exploiting the side channels? Can quantum code makers design innovative countermeasures to foil quantum code breakers? Theoretical and experimental progress in the practical security aspects of quantum code making and quantum code breaking is reviewed. After numerous attempts, researchers now thoroughly understand and are able to manage the practical imperfections. Recent advances, such as the measurement-device-independent protocol, have closed critical side channels in the physical implementations, paving the way for secure QKD with realistic devices.