Is basic access authentication secure?

http basic-authentication

The worry about basic auth is that the credentials are sent as cleartext and are vulnerable to packet sniffing, if that connection is secured using TLS/SSL then it is as secure as other methods that use encryption.


This is an old thread, and I do not believe the highest voted/chosen answer is correct.

As noted by @Nateowami, the security stack exchange thread outlines a number of issues with basic authentication.

I'd like to point out another one: if you are doing your password verification correctly, then basic authentication makes your server more vulnerable to denial of service. Why? In the old days, it was common belief that salted hash was sufficient for password verification. That is no longer the case. Nowadays, we say that you need to have slow functions to prevent brute forcing passwords in the event that the database becomes exposed (which happens all too often). If you are using basic auth, then you are forcing your server to do these slow computations on every API call, which adds a heavy burden to your server. You are making it more vulnerable to DoS simply by using this dated authentication mechanism.

More generally, passwords are higher value than sessions: compromise of a user password allows hijacking the user's account indefinitely, not to mention the possibility of hijacking other systems that the user accesses due to password reuse; whereas a a user session is time-limited and confined to a single system. Therefore, as a matter of defense in depth, high value data like passwords should not be used repeatedly if not necessary. Basic authentication is a dated technology and should be deprecated.


The reason why most sites prefer OAuth over Basic Auth is that Basic Auth requires users to enter their password in a 3rd party app. This 3rd party app has to store the password in cleartext. The only way to revoke access is for the user to change their password. This, however, would revoke access for all 3rd party apps. So you can see what's the problem here.

On the other hand, OAuth requires a web frame. A user enters their login information at the login page of this particular site itself. The site then generates an access token which the app can use to authenticate itself in the future. Pros:

  • an access token can be revoked
  • the 3rd-party app can not see the user's password
  • an access token can be granted particular permissions (whereas basic auth treats every consumer equally).
  • if a 3rd-party app turns out to be insecure, the service provider can decide to revoke all access tokens generated for that particular app.

Basic auth over http in an environment that can be sniffed is like no auth, because the password can be easily reversed and then re-used. In response to the snarky comment above about credit cards over ssl being "a bit" more secure, the problem is that basic authentication is used over and over again over the same channel. If you compromise the password once, you compromise the security of every transaction over that channel, not just a single data attribute.

If you knew that you would be passing the same credit card number over a web session over and over, i'd hope that you'd come up with some other control besides just relying on SSL, because chances are that a credit card number used that frequently will be compromised... eventually.


If you are generating passwords with htpasswd consider switching to htdigest.

Digest authentication is secure even over unencrypted connections and its just as easy to set up. Sure, basic authentication is ok when you are going over ssl, but why take the chance when you could just as easily use digest authentication?

Related

Javascript: Sort array and return an array of indices that indicates the position of the sorted elements with respect to the original elements
How do you select a whole column in visual block mode?
Tell gcc to specifically unroll a loop
Why use functors over functions?
Is chain of StringBuilder.append more efficient than string concatenation?
Select range of lines in Notepad++
Postgresql insert trigger to set value
Navigation Drawer: set as always opened on tablets
belongsTo vs hasMany in Sequelize.js
How do poltergeist/PhantomJS and capybara-webkit differ?
System.getenv() returns null when the environment variable exists [duplicate]
How can I align Android Toolbar menu/icons to the left like in Google Maps app?