We've been discussing this internally and we want to know the opinion of the community. In short, "HTTP Basic" is better because you can hash the password with Bcrypt ... but "HTTP Digest" sends the HA1=MD5(username:realm:password). Even if it's not the password in clear, if you get access to the HA1 value, you can log in in the application. So, "HTTP Digest" is generally considered less secure than any other authentication mechanism.