Basic authentication is simple andconvenient, but it is not secure. It should only be used to preventunintentional access from nonmalicious parties or used in combinationwith an encryption technology such as SSL.
Consider the following security flaws:
Basic authentication sends the username and password across thenetwork in a form that can trivially be decoded. In effect, thesecret password is sent in the clear, for anyone to read and capture.Base-64 encoding obscures the username and password, making it lesslikely that friendly parties will glean passwords by accidentalnetwork observation. However, given a base 64-encoded username andpassword, the decoding can be performed trivially by reversing theencoding process. Decoding can even be done in seconds, by hand, withpencil and paper! Base 64-encoded passwords are effectively sent“in the clear.” Assume thatmotivated third parties will intercept usernames and passwords sentby basic authentication. If this is a concern, send all your HTTPtransactions over SSL encrypted channels, or use a more secureauthentication protocol, such as digest authentication.
Even if the secret password wereencoded in a scheme that was more complicated to decode, a thirdparty could still capture the garbled username and password andreplay the garbled information to origin servers over and over againto gain access. No effort is made to prevent these replay attacks.
Even if basic authentication ...
