HTTP Basic Access Authentication is a simple challenge and response mechanism to enforce access controls to web resources. It does not require overheads like cookies, session identifiers, login pages, etc. Since this method is on the weak end of the security strength spectrum, it is seldom implemented except on home Wi-Fi routers.
This authentication method does not encrypt the login credentials at all. All it does is to send the login username and password separated by a single colon (:) character encoded in BASE64 format. Therefore it will be easy to guess someone’s login details if you have a packet capture of the HTTP request and response.
Below is a HTTP response sent from my browser to my Wi-Fi router at home. You will be able to see the encoded username and password fields in the Authorization
HTTP header. The YWRtaW46cGFzc3dvcmQ=
is the encoded BASE64 string.
To decode the data, we can use any base64
decoder. On Linux, base64
utility can be used encode/decode base64 data.
1 2 |
$ echo YWRtaW46cGFzc3dvcmQ= | base64 -d admin:password |
The above output tells us that username is admin
and that the password is password
.
This scheme does not provide sufficient security to prevent unauthorised users from retrieving the login credentials. As such, HTTP basic authentication should only be used in combination with SSL.