The other day I was thinking about basic authentication. You know the one, the most simple authentication scheme built into the HTTP protocol, and it struck me that it has undeservedly been getting a bad rep. Ask anyone – who is in the know – about basic authentication and the first thing you hear would probably be the fact that it is insecure (it is basic after all). But is it really? Lets examine the facts.
It’s Only As Secure As Your Transport Mechanism
Just because we store something in plain text (or base64 encoded) does not mean it is inherently insecure. When we get the users credentials we want to safely (without anyone stealing them) be able to transport them to where we are. You can think of it like transporting gold (or at least some sort of precious object) in the real world (meatspace :)). We normally try and protect our gold when we transport it, by putting it in an armored vehicle and maybe having a security guard or two around. We certainly don’t load our pickup truck full of bullion and ask our cousin Billy to shoot it down the east coast. A similar situation applies when it comes to user credentials. It does not matter what form the credentials are in (plaintext or not), what we really need is a secure method of transportation.
This is why we have HTTPS, right? When we want to protect against eavesdropping, we use a secure protocol. When we want to protect against stealing, we use a secure transport. Sure we can melt out gold down and combine it with lead (and then figure out some way to pull them apart later), that would make it harder for people to get at it if they steal it. But we already have a secure transport, so perhaps that might be overkill. In similar vein we can get the credentials a different way and then obfuscate them somehow (encrypt) before we send them down, but we already have a secure connection – so overkill again? End of the day you don’t really care about the security of the credentials, you care about the security of the connection over which the credentials are transported.
What If The User’s Machine Is Compromised?
Well in this case, no matter what you do you’re pretty much stuffed anyway so worrying about it is pointless. You can’t really control what goes on with the user’s machine. If malicious code already resides on the machine the user can say goodbye to his credentials (and to whatever the credentials are protecting). A simple key-logger or trojan will defeat the most brand-spanking-awesome crypto-obfuscation system you can think of, unless the user is particularly savvy. Even a secure connection matters nothing in this case as the credentials are compromised before they are transported.
The point here is, figure out what you need, as far as secure connections go, and why you need. Chances are, you might find that basic authentication may serve your needs. It is not the authentication scheme that is insecure, it’s how you implement it!