: How secure is using .htpasswd to secure a directory? I'm basically creating something off of my main domain www.mywebsite.com/intranet. I've created .htpasswd protection for that intranet directory.

@Pope3001725

Here are the disadvantages of basic authentication according to WikiPedia:


Although the scheme is easily
implemented, it relies on the
assumption that the connection between
the client and server computers is
secure and can be trusted.
Specifically, if SSL/TLS is not used,
then the credentials are passed as
plaintext and could be intercepted.

Existing browsers retain
authentication information until the
tab or browser is closed or the user
clears the history. 1 HTTP does not
provide a method for a server to
direct clients to discard these cached
credentials. This means that there is
no effective way for a server to "log
out" the user without closing the
browser. This is a significant defect
that requires browser manufacturers to
support a 'logout' user interface
element or API available to
JavaScript, further extensions to
HTTP, or use of existing alternative
techniques such as retrieving the page
over SSL/TLS with an unguessable
string in the URL.


As the word "basic" in its name implies it offers very basic protection but not much more then that. If you're going to using it as a stop gap measure until you can get a custom authentication scheme in place then it's definitely better then nothing. But if your goal is "real" security then you should be implementing a custom authentication system ASAP.

Vote Up Vote Down