Base 64 encoding in HTTP Basic Auth

Question

I am wondering what is the purpose of encoding the String: "login:password" in base 64 when using HTTP Basic Auth.

• Base 64 is usually used to send binary data through ASCII only protocols. But the login:password is already a String
• It adds practically no security
• The output is longer than the input, so it does not improve performances

I am probably missing something since it does currently seems to me that this encoding just adds an unneeded layer of complexity.

Thank you

Answer 1

From http://en.wikipedia.org/wiki/Basic_access_authentication

Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible.

Answer 2

My first thought is that it's encoded in Base64 simply to make it less blatantly obvious that it's actually a username and a password.

Secondly, people can put all sorts of strange characters in their passwords -- encoding it in Base64 puts the data in a format that is less "messy", if you will.

Also, the length of the output in the Base64 string is fairly negligible; a couple extra packets of data isn't going to degrade performance any noticeable amount.

From Wikipedia:

While encoding the user name and password with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded. Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible.

Wikipedia seems to confirm my initial thoughts. Cheers!