On Tue, 02 Jun 2009 19:44:03 -0300, Leonardo Rodrigues <leolistas@xxxxxxxxxxxxxx> wrote: > Hello Guys, > > a simple question ..... i know that basic authentication schemas > transmit username/password in cleartext over the wire. It' base64 > encoded, but it's trivially detected and decoded, which make them not > the most secure ones to use. > > do NTLM authentication schemas are more secure than basic ones, i > mean, do NTLM authentication schema transmit cleartext (or simply > encoded) username/passwords over the wire ? NTLM uses a side channel directly between the domain control server and the machine needing to check auth. I'm not sure how that is coded. The HTTP side of the triangle includes a hash of the credentials. One thing to be wary of is that NTLM hash strength is pretty much limited by the Windows releases involved. The older versions used by Win9x are hashes which are now trivially broken, none are completely secure. The latest windows releases have deprecated it in favor of the much more secure Kerberos (but that won't work with anything much older than XP and IE6). There is also digest authentication, which is the IETF standard for secure authentication over HTTP. Some people actually use it too. And it works without needing windows or domain controllers. Amos
