Digest authentication made sense back when HTTPS was difficult and expensive to set up. Now that Let's Encrypt (and others!) have made HTTPS hosting more accessible, it's mostly pointless.
Digest auth stores passwords on the server as plaintext; basic auth transmits passwords over the network as plaintext. Both are bad, but I feel like having the plaintext on the network is probably worse.
For sure. But "better than 'Basic'" is a much lower bar than "not bad".
I was going to say that this problem is already noted in the very first RFC, that it was already known to be broken on day one; but on a closer reading I'm not sure that's actually true.
The format that Digest uses to transmit passwords is not a lot better than plaintext. It’s a simple salted hash, which is easily brute-forced offline unless the password is strong.
