tags:

views:

65

answers:

3
+1  Q: 

Is basic access authentication secure?

Using Apache, it is quite simple to set up a page that uses basic access authentication to prompt a user for a name/password and use those credentials in some way to grant access to that user.

Is this secure, assuming the connection between the client and server is secure?

+3  A: 

The worry about basic auth is that the credentials are sent as cleartext and are vulnerable to packet sniffing, if that connection is secured using TLS/SSL then it is as secure as other methods that use encryption.

Chris Diver  2010-07-24 00:27:33
A: 

If you are generating passwords with htpasswd consider switching to htdigest.

Digest authentication is secure even over unencrypted connections and its just as easy to set up. Sure, basic authentication is ok when you are going over ssl, but why take the chance when you could just as easily use digest authentication?

jwsample  2010-07-24 00:32:14
If it is encrypted then there is no reason to use digest over basic auth, there is no 'chance' being taken. If the connection is not encrypted then digest authentication will prevent revealing the password of the user and it will prevent replay attacks, but the data will be sent in plain text, I would hardly call that 'secure even over unencrypted connections'.
Chris Diver  2010-07-24 00:44:31
The "chance" is more like a misconfigured server allowing someone to access the page unencrypted or a user doing so accidentally. This wasn't a question about whether information is better sent over ssl or in the clear. Basic authentication is at the lowest of the low in terms of password authentication security standards. There is a reason you don't see it much in the wild.
jwsample  2010-07-24 01:09:23
+1  A: 

As the name itself implies, 'Basic Authentication' is just basic security mechanism. Don't rely on it to provide you with worry free security.

Using SSL on top of it does makes it bit more secure but there are better mechanisms.

SoftwareGeek  2010-07-24 00:38:21
So sending credit card details over SSL is a 'bit more secure' than plain text?
Chris Diver  2010-07-24 00:46:12
@Chris Diver - what do you mean?
SoftwareGeek  2010-07-24 01:15:09

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.