I am developing an application which need to handle a massive amount of REST requests. Using basic auth will save a lot of computing resources since I don't have to compute the signatures. Also, the documentation will be a lot simpler. What are your thoughts?
The only difference that Basic-Auth makes is that username/password is passed in the request headers instead of the request body (GET/POST). As such, using basic-auth+https is no less or more secure than a form based authentication over HTTPS.
Basic authentication is vulnerable to replay attacks. Because basic authentication does not encrypt user credentials, it is important that traffic always be sent over an encrypted SSL session. A user authenticating with basic authentication must provide a valid username and password.
Problems with Basic Authentication The username and password are sent in every request. Although they are encoded with Base64, this does not add any security since they can be decoded easily. Most configurations of Basic Authentication do not implement protection against password brute forcing.
Yes. Basic Auth over SSL is actually stronger than Digest without SSL.
However, the overhead of SSL is much higher compared to computing hashes so there is no performance gain there.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With