Even young professionals know the difference between the basic and digest authentication, thus: in basic authentication - the password is transmuted in clear (reverse calculable) and this is bad. On the other side digest authentication- the password is never transmitted over the transport channel than hashes of password with random nonce. These methods are available in WS-Security , HTTP, PPP etc. I am not going to describe it here again, see RFC 2617, RFC 1994, OASIS WS Sec username and token.
It is obvious conclusion avoid basic authentication and use digest, thus prevent sending the password in clear. So far so good, but still digest authentication is rare. Why ?
The answer is obvious but not really understood.
If you use digest authentication, then the user passwords must be stored in your database for verification, like LDAP, MySQL, Active Directory etc. Sure, the user passwords will be protected with some master key and symmetric encryption, but the user passwords are still there and reverse calculable. Every backup copy of the DB contains all user passwords. If someone stills your master key and the DB, then - bad luck :-( The administrator needs to think twice on how to handle this risk.
If you use basic authentication, then the user passwords do not need to be in the database at all. Practical, the database will contain seeded hashed of the user password, like in the Linux system. If a bad guy obtains a copy of the database, he will find only hashes and will never be capable to reverse calculate the real passwords. Sure, they are some rainbow attacks but let us leave them for a moment aside. The administrator will definitely prefer this way, less risk for him. Potentially, he will use TLS to protect the transport channel. He will hope that client verifies the TLS Server certificate as expected ;-)
At the end:
either you send the password in clear (basic auth) and don't sore it in the DB
or store the password in your database but don't send it over transport channel client to server (digest auth).
It is your choice, but you need to understand it.
Historically, it is interesting to know that the Telcos do not trust the transport channel but their administrator. For this reasons, they use mostly CHAP on PPP (digest auth). On the other hand, the web enterprises trust the channel, but do not trust the administrator and use basic auth in order to avoid password in the database. It is a interesting that exactly core competency is doubted even this concussion is very simplified .
