Protecting credentials from eavesdropping using HTTP Basic Authorization header:

That's the way to do it right

It is almost useful with https, so that the credentials are sent encrypted to the server

@LetsCodeAlready base64 is not even hashing, it is just a conversion. Useless for encryption.

Artistic impression, colored, 1923

@gosubinit that's why he said httpS.

@gosubinit my previous boss wrote an ERP system that used a special kind of RPC.

It built an object that describes the call, serialized it, then base64 encoded it before sending on the wire, for maximum security.

@mzeffect as secure as rot13

@JustKidding I got it, but using over https still doesn't make it useful from a security point of view.

@gosubinit that is why you need https, so the credentials are sent encrypted to the server, instead of only hashed

@LetsCodeAlready, Lets GetThisStraight Already:

For authentication:
https => encrypt data => good
base64 => does not encrypt data => useless

You can send plain text password over https without the base64. Just like every login form does.

Also,

"Almost useful" = "useless". Example: "in a car, an empty tire is almost useful"