53

RFC 2617 requires that in HTTP Basic authentication, the username and password must be encoded with base64.

To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a base64 encoded string in the credentials.

  basic-credentials = base64-user-pass
  base64-user-pass  = <base64 encoding of user-pass,
                   except not limited to 76 char/line>
  user-pass   = userid ":" password
  userid      = *<TEXT excluding ":">
  password    = *TEXT

Userids might be case sensitive.

If the user agent wishes to send the userid "Aladdin" and password "open sesame", it would use the following header field:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Since base64 encoding offers zero security of the credentials, why is this done?

josh3736
  • 2,185
  • 2
  • 17
  • 22

1 Answers1

63

It is not done for security reasons at all, and more as a means of escaping special characters

https://stackoverflow.com/questions/4070693/why-base64-encryption

TLS would be employed for security.

Community
  • 1
Brian Adkins
  • 1,817
  • 1
  • 17
  • 14
  • This makes sense, it would be a shame if a user would have two new lines in his password. – droope Jan 30 '13 at 05:21
  • 10
    In search of maximum entropy, my password includes three new lines – Brian Adkins Jan 30 '13 at 05:24
  • 5
    Of course as a means of including tricky characters it's still pretty much a failure - you still can't get a colon into the username, or any non-ASCII Unicode characters into username or password, because there isn't a standard byte encoding to apply before base64, and browsers all choose different encodings. The Basic Auth protocol is just poorly designed in general. – bobince Jan 30 '13 at 11:45
  • 2
    @bobince, regarding encoding, the MIME RFC clearly defines the meaning of `TEXT` in `userid` and `password` fields. The fact that most browsers are non-compliant is another matter entirely. – avakar Jan 30 '13 at 12:09
  • @BrianAdkins so [this](http://www.codeproject.com/Articles/38729/Free-PHP-Encoder-Application) is naive? – Metalcoder Oct 24 '13 at 13:16
  • 6
    This answer is probably not historically correct. Basic authentication header is part of the HTTP 1.0 protocol from 1996 and predates TLS. When I read about basic auth in 1998 (in a book!!! remember those?) the explanation was that Base64 is a "better than nothing" scheme to mask passwords from the casual eye, Remember back then passwords were typically very simple and short (e.g. "Joshua") and engineers were not comfortable seeing their boss's passwords which would be subject to instant memorization. Base64 makes it a little, but not much, better. – John Wu Jan 05 '17 at 01:04
  • Why must the Authorization header be base64 encoded and the request body not? If the purpose is escaping special characters, I assume it should be done in both. – Alan Evangelista Jul 29 '21 at 20:08