9

HTTP basic auth sends credentials un-hashed and unencrypted over the wire, relying on TLS for confidentiality in transit. However, should the password be stored hashed using a standard KDF in the backend for comparison on receipt?

Prime
  • 474
  • 6
  • 15

2 Answers2

16

Passwords in general should be stored hashed on the server, no matter if they are transferred within some HTTP POST body as a result of a form submit or if they are transferred in the HTTP header as in Basic authentication.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
12

Yes, it should be. The default backend for HTTP Basic Auth is htpasswd, and it encrypts passwords*:

htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt() routine. Files managed by htpasswd may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt().

If you're setting up an alternative backend, such as a database, then you should provide salting and hashing as strong protections against password compromise.

*Note that, per the manual, "The SHA and crypt() formats are insecure by today's standards."

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • 13
    "*The default backend for HTTP Basic Auth…*" - why are you assuming the OP is using Apache? – Bergi Sep 11 '20 at 08:55
  • 2
    Nginx also defaults to recommending htpasswd in their [admin guide](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/). But you're correct that this answer skews towards the free, *nix-based alternatives that power [60% of the Internet](https://news.netcraft.com/archives/2019/09/27/september-2019-web-server-survey.html). – gowenfawr Sep 11 '20 at 13:11
  • @gowenfawr For a long time more than 60% of the internet didn't use HTTPS or used SSL3 and TLS1.0. "It's the default" isn't a very good argument for security - if anything it is probably a reason to be leery of it. None of the options listed by htpasswd seem up to the standards of 2020 for hashing passwords... who in their right mind would hash a password using "a version of MD5 modified for Apache"? bcrypt is the best option available and that one hasn't been state of the art for a decade. – Voo Sep 11 '20 at 15:19
  • 4
    Reading the rest of the documentation gives me goosebumps.. "note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded.". – Voo Sep 11 '20 at 15:21
  • @Voo being old enough to remember when crypt() was the only option that existed, I'm a little more optimistic than you about the newer algorithm support `htpasswd` tacks on... but it's a shame the tool didn't drop the backwards compatibility for generation (not validation) of passwords. – gowenfawr Sep 11 '20 at 15:34
  • @gowenfawr Sure you can make it reasonably secure. But the defaults are simply awful. Using bcrypt with a high number of rounds (most modern libraries use 12 or more as a default, not htpasswd's *5*) is reasonable if you don't care about hardware attacks, but why no PBKDF2 with SHA256 or scrypt? It just seems like a tool that hasn't seen serious development in a very long time (there's no algorithm supported that was developed this millennium) – Voo Sep 11 '20 at 15:55
  • 2
    @Voo you're right, but what's the alternative for the average web dev? It's open source, you could always make a contribution (that also goes for myself and anyone here). Or is the answer just to modify the config and use bcrypt at 12 or 14 rounds? I don't disagree with anything you've said, but again, what's the alternative you recommend? – TCooper Sep 12 '20 at 00:08
  • @tCooper There's God knows how many libraries that support modern hashing algorithms for every modern programming language out there so that hasn't really been a problem for me. If you need some out of the box program, bcrypt with enough rounds is a decent solution for most scenarios. That said, the use cases for basic auth are pretty minimal these days to begin with. – Voo Sep 13 '20 at 08:50