Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is basic access authentication secure?

Using Apache, it is quite simple to set up a page that uses basic access authentication to prompt a user for a name/password and use those credentials in some way to grant access to that user.

Is this secure, assuming the connection between the client and server is secure?

like image 221
Nathan Osman Avatar asked Jul 24 '10 00:07

Nathan Osman


People also ask

Why is basic authentication generally not recommended?

The worry about basic auth is that the credentials are sent as cleartext and are vulnerable to packet sniffing, if that connection is secured using TLS/SSL then it is as secure as other methods that use encryption.

Should I use basic authentication?

Using basic authentication for authenticating users is usually not recommended since sending the user credentials for every request would be considered bad practice. If HTTP Basic Auth is only used for a single request, it still requires the application to collect user credentials.

Is basic auth vulnerable?

Basic authentication is vulnerable to replay attacks. Because basic authentication does not encrypt user credentials, it is important that traffic always be sent over an encrypted SSL session. A user authenticating with basic authentication must provide a valid username and password.

Is API basic authentication secure?

With Basic Authentication, you pass your credentials (your Apigee account's email address and password) in each request to the Edge API. Basic Authentication is the least secure of the supported authentication mechanisms. Your credentials are not encrypted or hashed; they are Base64-encoded only.


1 Answers

The worry about basic auth is that the credentials are sent as cleartext and are vulnerable to packet sniffing, if that connection is secured using TLS/SSL then it is as secure as other methods that use encryption.

like image 198
Chris Diver Avatar answered Sep 18 '22 16:09

Chris Diver