Nov 10, 2018

Issues with HTTP Basic Authentation

  1. The password is sent in plain text.
  2. The password is sent repeatedly for each request and therefore there is larger attack window.
  3. The password is cached by the browser, at a minimum for the length of the window / process.  It then can be silently reused by any other request to the server, e.g. CSRF.
  4. The password may be stored permanently in the browser, if the user wants. It therefore might be stolen by another user on a shared machine.
  5. Using SSL only solves the first. And even with that, SSL only protects till the server - any internal routing, server logging, etc, will see the plain text password.
In conclusion:
  1. HTTPS protects the password in transit.
  2. Usually it is not enough.