Unbelievable as it may seem, IIS3.0 on Windows NT4.0 actually does provide the password in $ENV{REMOTE_PASSWORD}. I assume this design decision was in some way related to the fact that in IIS, the username/password supplied via basic authentication must be a valid OS signon and getting an NT security token generally requires a plaintext password. I'm not sure if this 'feature' has been removed in more recent versions of IIS.