This plugin Adds Crazy Additional Password Protection and Security to your blog.
Do I have to type in my username and password every admin page?
No. You just have to type it in once and it will keep you logged in until you close your browser.
How Secure Is It
In Basic HTTP Authentication, the password is passed over the network not encrypted but not as plain text -- it is "uuencoded." Anyone watching packet traffic on the network will not see the password in the clear, but the password will be easily decoded by anyone who happens to catch the right network packet.
So basically this method of authentication is roughly as safe as telnet-style username and password security -- if you trust your machine to be on the Internet, open to attempts to telnet in by anyone who wants to try, then you have no reason not to trust this method also.
In MD5 Message Digest Authentication, the password is not passed over the network at all. Instead, a series of numbers is generated based on the password and other information about the request, and these numbers are then hashed using MD5. The resulting "digest" is then sent over the network, and it is combined with other items on the server to test against the saved digest on the server. This method is more secure over the network, but it has a penalty. The comparison digest on the server must be stored in a fashion that it is retrievable. Basic Authentication stores the password using the one way crypt() function. When the password comes across, the server uudecodes it and then crypts it to check against the stored value. There is no way to get the password from the crypted value. In MD5, you need the information that is stored, so you can't use a one way hashing function to store it. This means that MD5 requires more rigorous security on the server machine. It is possible, but non-trivial, to implement this type of security under the UnixTM security model.
HTTP Digest Authentication considerations
HTTP Digest authentication is designed to be more secure than traditional digest authentication scheme.
Some of the security strengths of HTTP Digest authentication is:
* The password is not used directly in the digest, but rather HA1 = MD5(username:realm:password). This allows some implementations (e.g. JBoss DIGESTAuth) to store HA1 rather than the clear text password. * Client nonce was introduced in RFC2617, which allows the client to prevent chosen plaintext attacks (which otherwise makes e.g. rainbow tables a threat to digest authentication schemes). * Server nonce is allowed to contain timestamps. Therefore the server may inspect nonce attributes submitted by clients, to prevent replay attacks. * Server is also allowed maintain a list of recently issued or used server nonce values to prevent reuse.