Section
1.1.9
Top Level
Sub Level
General
HTTP basic authentication is considered a weaker form of authentication as
- Username and passwords are easily recovered since BASE64 encoding is used
- Username and passwords are sent on each request, increasing the window of possible disclosure
- No real logout and
- Susceptible to passerby attacks where an attacker refreshes the browser and steals the actual password as opposed to a session id.
Use forms-based authentication whenever possible.
Natural Webagent
This does not apply when using EID authentication.