What is a major downside of Basic Authentication?

The major downside of Basic Authentication is that credentials are passed unencrypted. This means when a client sends their username and password to the server using Basic Authentication, this information is encoded in a way (Base64 encoding) that is easily decodable but not secure by itself. If transmitted over an unsecured channel (like HTTP), an attacker can capture and read the credentials easily.

For secure communication, it is recommended to always use Basic Authentication over a secure layer like HTTPS, which encrypts the entire session, making it difficult for attackers to intercept or understand the data being transmitted. Without such encryption, the simplicity of Basic Authentication becomes a significant vulnerability.

Complex passwords (which relates to the first option) can improve security but are not inherent to Basic Authentication itself. Compatibility with request types (second option) doesn't apply because Basic Authentication can work with any HTTP method, not just POST. Using SSL (option four) is indeed possible and often necessary to protect Basic Authentication credentials; thus, the claim that it cannot be used with SSL is inaccurate.