The biggest reason HTTP AUthentication is considered bad, is that it does not handle data securely. The user name and password entered by the user is only converted to base64, which is neither truly encrypted, nor safe for transmission over standard web protocols. Any hacker sniffing the data stream can intercept this base64 string and decipher it without any difficulty. base64 can be encoded and decoded very easily without keys.
HTTP Authentication may be applied if the signal is wrapped in some other method of security, or is passed over an encrypted connection, such as SSL on port 443. Anyone sending their user name and password via HTTP Authentication must look for additional layers of security, but the majority will not think to look. It becomes the responsibility of the web developer to recognize the lack of Internet Security in HTTP Authentication, but wise clients should request appropriate levels of security.
Brute Force Attacks can be performed against HTTP Authentication rather easily. Web servers are designed for volume traffic and to handle mutliple requests simultaneously. Poorly designed websites allow multiple HTTP Authenticaion attempts from the same user at the same time. This means it is easy to repeatedly run through many username:password combinations until one returns a successful response. Without additional layers of security, a Brute Force Attack can yield devastating conequences on a supposedly secure server. Just because “you” can’t break in doesn’t mean “someone else” can’t break in easily.
If you, or your web developer, decide to use HTTP AUthentication, make sure you apply some form of additional Internet Security to protect your users’ information.