Should http basic auth passwords be stored hashed serverside?

Passwords in general should be stored hashed on the server, no matter if they are transferred within some HTTP POST body as a result of a form submit or if they are transferred in the HTTP header as in Basic authentication.


Yes, it should be. The default backend for HTTP Basic Auth is htpasswd, and it encrypts passwords*:

htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt() routine. Files managed by htpasswd may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt().

If you're setting up an alternative backend, such as a database, then you should provide salting and hashing as strong protections against password compromise.

*Note that, per the manual, "The SHA and crypt() formats are insecure by today's standards."

Tags:

Passwords

Hash

Http Basic Auth

Related

Is there any security risk in not setting a maximum password length? Should I only let my TV connect to the guest WiFi? Prevent a bot accessing login page with multiple IPs and massive list of username/ passwords Password entry: are "paste from password manager" and "eyeball to view passwords" mutually-exclusive features? New Hires get phishing emails very quickly - Reasoning and how to stop Reply to potentially spoofed email Can ISPs replace a website's HTML/JavaScript/HTTP headers with something else? Why is DNS-over-HTTPS such a big security nightmare compared to DNS-over-TLS? How could I make the results of a yes/no vote inaccessible unless it's unanimous in the affirmative, without a trusted third party? Do browsers know domains that are supposed to be encrypted? Break out or bypass php functions Emergency method to erase all data off a machine within seconds

Recent Posts