Since FORM authentication passwords and user names are encoded with base64 encoding, is it right to say that FORM authentication passes the password as text ? I found myself disagreeing with an answer to a mock exam question that said that FORM authetication passes passwords in text format. The answer did acknowledge the presence of base 64 encoding but since this is weak, the answer given was "password passed as text".
So should i choose "text" in the exam or "password passed in encrypted format ?".
It is base64 encoded text. It's plain text, not encrypted.
From the spec: Form Based Authentication has the same lack of security as Basic Authentication since the user password is transmitted as plain text and the target server is not authenticated.