undefined | Better HN

0 pointslossolo1y ago0 comments

Sure, if you slap Basic Auth with "admin:admin" on phpMyAdmin in 2025, you're asking for it. But a Basic Auth password with 256 bits of entropy is just as resistant to brute force as AES-256 (assuming the implementation is sound and TLS is used). It's not the protocol that's insecure, it's usually how it's deployed.

0 comments

1 comments · 1 top-level

andruby1y ago

Only if it's only accessible via proper TLS (otherwise it's easy to read the user/pass with MITM as basic auth doesn't encrypt the user/pass).

If there is no throttling/rate-limiting/banning then this setup allows for a lot of attempts, wether brute-force or dictionary.

3 more replies

j / k navigate · click thread line to collapse