Passing username and password in URL to a `htpasswd` protected domain, would it be encrypted?

Question

I know you can input the Username, Password and Domain for a htpasswd protected URL using the following schema :

http://$username:$password@$Domain

eg :

http://sam:[email protected]

But would this work for an HTTPS Domain ? And if so would the Username and Password be encrypted in transit ?

Answer 1

There are a few issues with HTTP Basic Auth:

• The password is sent over the wire in base64 encoding (which can be easily converted to plaintext).
• The password is sent repeatedly, for each request. (Larger attack window)
• The password is cached by the webbrowser, at a minimum for the length of the window / process. (Can be silently reused by any other request to the server, e.g. CSRF).
• The password may be stored permanently in the browser, if the user requests. (Same as previous point, in addition might be stolen by another user on a shared machine).

Of those, using SSL only solves the first. And even with that, SSL only protects until the webserver - any internal routing, server logging, etc, will see the plaintext password.

So, as with anything it's important to look at the whole picture.

Does HTTPS protect the password in transit? Yes.

Is that enough? Usually, no. (I want to say, always no - but it really depends on what your site is and how secure it needs to be.)

Complete credit to below answer (copied word to word)

https://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done-over-https