Is it secure to store confidential data on basic HTTPS AUTH?

Question

It's a website backend. Since it will only be accessed by two persons, is there any disadvantage on using basic http auth? The website is under https.

edit: as the title points, there's confidential data inside.

Answer 1

Basic auth has a few issues that were fixed in digest auth, but they mostly don't apply since you're using TLS (which should handle replay attacks and encryption of the secret values). It still might be a good idea to use digest auth anyways, because it's not worse.

Both of these authentication methods are still fairly primitive. The most notable weakness is that they don't include any sort of brute-force protection: an attacker can try potential credentials as fast as your web server will process them. This puts the onus on you to implement throttling in another system, like fail2ban. Similarly, there are no direct audit logs, so you need to make sure that your web server is configured to log authentication accesses, and create a system that can filter and search these logs in case you need to check later to see.

Other than that, there are standard UX/security concerns that may not matter much in your case, since you only have two users. One of these would be whether you have a shared password for everyone, or different user accounts; if it's the former, you have to (securely) distribute a new password any time you want to revoke someone's access, whereas with the latter you have to design a system that automatically updates the digest file and reloads your web server (or do this manually).