Can basic authentication over HTTPS do any harm on a personal one-user server if used in addition to native authentication provided by individual web applications?
Asked
Active
Viewed 2,982 times
2 Answers
2
Using Basic Authentication over HTTPS is considered to be secure as the main issue with Basic Authentication is that the credentials are sent over clear text.
However, there are some common practices that make using Basic Authentication a bad idea. The following are some examples:
- Usually no request limiting is put in place - This can allow brute force attacks
- Same password for the whole lifetime - usually the password will be static and will stay the same during the entire application lifetime
- If a user forgets his password, how does he reset it?
If an application is using correct configurations and is used over SSL, it is theoretically secure and all that is left is to solve the application design issues.
Bubble Hacker
- 3,615
- 1
- 11
- 20
-
Thanks! So, no real benefit, but potential issues. I see. – Mihai Nagy Aug 18 '19 at 17:12
0
The main problem is probably the unexpected and unusual (and thus confusing) usability for the end user. This includes that it unexpectedly asks for multiple credentials and it is not obvious where to enter which credentials, where to change which credentials and how to proceed if one of these credentials is no longer known. Apart from scaring users it also likely means more time needed to support users.
On top of this there is added complexity in the front- and backend to ask for and check the credentials and also for the additional logic needed for password change and reset. All of these need to be designed, implemented, documented and tested which makes the initial costs higher. Of course the costs of maintaining such a non-standard solution when changes are needed or new developers need to be trained is higher too.
This additional complexity and implementation and support costs might be justified if the objective of the idea is worth it. Unfortunately it is not clear so far if the objective can be achieved in the first place since no objective is given in your question (it is likely just "better security" for some unspecified value of "better"). And it is not clear if the same objective can be reached with a simpler, i.e. less confusing and cheaper, solution.
EDIT: after it was clear (after a comment and edit) that this is a server where the only user is the same as the administrator of the server. In this way all the added complexity might probably be irrelevant. Still, there is no objective for the idea given so it is not clear if the objective is reached at all and if there might be a better solution possible.
Steffen Ullrich
- 184,332
- 29
- 363
- 424
-
Thanks, Steffen! This is a personal one-user server, so there's no administrative overhead. :-) – Mihai Nagy Aug 18 '19 at 17:09
-
@MihaiNagy: This information should have been part of your question (and be there from the beginning) since it is essential to properly answer the question. – Steffen Ullrich Aug 18 '19 at 17:14