In form based authentication the credentials are sent as such within the message, whereas in digest based authentication a digest of credentials, domain name and a random challenge is sent instead. Form based authentication requires a secure channel (https) by nature.
Why doesn't the form based authentication on web browsers use the digest scheme instead? Or is it so the digest challenge wouldn't provide any additional security over the form based authentication which requires TLS anyway?
Plus with the digest based authentication plain text password has to be stored in the server side repository instead of hashes. Is this the reason why (encrypted) plain text credentials are favored over the digest on web browsers? In which context would the digest based scheme actually be more secure than plain text over a secure channel?
