I just want to second the above comments about plain text and not being able to time out. The plain text issue is, of course, easily solved with an SSL connection (if you're curious about the .htaccess encoding, I describe it here). If you choose not to use SSL, make sure that you assign users passwords instead of allowing them to pick them. Then, when you assign them, make them difficult to use so they won't reuse them. Yes, they'll find that very annoying and will complain to you, but once their password gets sniffed because a non-encrypted connection was used, they'll be less likely to have reused the password elsewhere.

The timeout issue is another problem. There is no direct way to time out an .htaccess authentication. People tend to forget that one of the worst security problems lies not with some cracker in Suburbia trying to break into your box, but the disgruntled coworker sitting next to you. Walking away from an open browser with a session that doesn't time out can have serious implications, even if the data being stored is trivial.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.