HTTP Basic Authentication: How Username and Password are Transmitted

Username and Password Transmission in Basic HTTP Authentication

Prev Question Next Question


How are the username and password transmitted if a basic HTTP authentication is used?



Click on the arrows to vote for the correct answer

A. B. C. D.


When basic HTTP authentication is used, the username and password are transmitted as a Base64-encoded string. This is done by the client (such as a web browser) sending an HTTP request that includes an "Authorization" header field with the value "Basic" followed by a space and a Base64-encoded string that contains the username and password, separated by a colon.

For example, if the username is "alice" and the password is "secret", the client would send the following header field:

Authorization: Basic YWxpY2U6c2VjcmV0

The string "YWxpY2U6c2VjcmV0" is the Base64 encoding of the string "alice:secret".

It's important to note that Base64 encoding is not a form of encryption - it is a reversible encoding that can be easily decoded by anyone who intercepts the traffic. Therefore, basic HTTP authentication should only be used over secure connections (such as HTTPS) to prevent unauthorized access to the credentials.

Option B (MD5 hash of the combined username and password) and option C (username in cleartext and MD5 hash of the password) are not correct because HTTP basic authentication does not involve hashing the credentials. Instead, the username and password are transmitted in plain text (albeit encoded in Base64).

Option D (cleartext username and password) is also not correct because while the credentials are transmitted in plain text, they are still encoded in Base64, which is not the same as cleartext.