Section
1.1.9
General

HTTP basic authentication is considered a weaker form of authentication as

  1. Username and passwords are easily recovered since BASE64 encoding is used
  2. Username and passwords are sent on each request, increasing the window of possible disclosure
  3. No real logout and
  4. Susceptible to passerby attacks where an attacker refreshes the browser and steals the actual password as opposed to a session id.

Use forms-based authentication whenever possible.

Natural Webagent
This does not apply when using EID authentication.