Is Apache Digest authentication more secure or than Basic or not? Is Apache Digest authentication more secure or than Basic or not? apache apache

Is Apache Digest authentication more secure or than Basic or not?


apache security authentication basic-authentication digest-authentication

With basic authentication the password is sent nearly plain (base64 encoded) to the server and on the server side it gets hashed and compared against the hashed password (stored in htpasswd file or similar). With digest authentication the hashed password is sent to the server (with some server defined data added so replay attacks will not work). But to verify the password you need to have the plain password on the server side (or something close to the plain password). This means, that if the attacker gets access to the htpasswd file it needs to crack all the passwords before they can be used for basic authentication, while if it gets access to the htdigest file it can use it directly for digest authentication.

In summary: basic auth is less secure on the wire, but way more secure to store on the server. Best choice of both would be therefore to use basic auth with SSL. But, both authentication techniques have the disadvantage, that there is no way for a session timeout or explicit logouts, e.g. the browser will stay logged in until it gets closed. This makes attacks like CSRF easier.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last