Base 64 encoding in HTTP Basic Auth

Question

I am wondering what is the purpose of encoding the String: "login:password" in base 64 when using HTTP Basic Auth.

Base 64 is usually used to send binary data through ASCII only protocols. But the login:password is already a String
It adds practically no security
The output is longer than the input, so it does not improve performances

I am probably missing something since it does currently seems to me that this encoding just adds an unneeded layer of complexity.

Thank you

related: [Why Base64 in Basic Authentication](http://stackoverflow.com/questions/13661384/why-base64-in-basic-authentication) and [What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?](http://stackoverflow.com/questions/4070693/what-is-the-purpose-of-base-64-encoding-and-why-it-used-in-http-basic-authentica) — Hawkeye Parker, Nov 12 '14 at 07:45
It adds NEARLY no level of security. It is encrypting it slightly. — Thom, Dec 04 '20 at 12:19
Does this answer your question? [What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?](https://stackoverflow.com/questions/4070693/what-is-the-purpose-of-base-64-encoding-and-why-it-used-in-http-basic-authentica) — Boris Verkhovskiy, May 08 '23 at 23:38

score 10 · Accepted Answer · answered Apr 08 '11 at 15:18

10

From http://en.wikipedia.org/wiki/Basic_access_authentication

Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible.

answered Apr 08 '11 at 15:18

Michael Levy

13,097
15
66
100

Wow, I read the wikipedia article, but I somehow missed this sentence. – almathie Apr 08 '11 at 15:29
2

I don't think was the intent, because otherwise the people who defined this would have realized that they'd need to specify the character encoding to make this work. – Julian Reschke Apr 08 '11 at 16:45
@JulianReschke Could you take a stab at the original intent? Was it maybe just to have _some_ form of obfuscation? – Hawkeye Parker Nov 11 '14 at 09:12
1

I don't know. Long before my time. – Julian Reschke Nov 12 '14 at 20:20

score 3 · Answer 2 · answered Apr 08 '11 at 15:19

My first thought is that it's encoded in Base64 simply to make it less blatantly obvious that it's actually a username and a password.

Secondly, people can put all sorts of strange characters in their passwords -- encoding it in Base64 puts the data in a format that is less "messy", if you will.

Also, the length of the output in the Base64 string is fairly negligible; a couple extra packets of data isn't going to degrade performance any noticeable amount.

From Wikipedia:

While encoding the user name and password with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded. Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible.

Wikipedia seems to confirm my initial thoughts. Cheers!

score 0 · Answer 3 · answered Apr 24 '14 at 22:49

0

The encoding with base64 is usually followed up by connecting through an SSL connection, which will then encrypt the encoded username and password for additional security.

answered Apr 24 '14 at 22:49

Rodney P. Barbati

1,883
24
18

Base 64 encoding in HTTP Basic Auth

3 Answers3

Linked