diff --git a/common/network/TcpSocket.cxx b/common/network/TcpSocket.cxx
index c3733c3..4262be5 100644
--- a/common/network/TcpSocket.cxx
+++ b/common/network/TcpSocket.cxx
@@ -462,7 +462,7 @@ static uint8_t givecontrolCb(void *messager, const char name[])
 WebsocketListener::WebsocketListener(const struct sockaddr *listenaddr,
                          socklen_t listenaddrlen,
                          bool sslonly, const char *cert, const char *certkey,
-                         const char *basicauth,
+                         bool disablebasicauth,
                          const char *httpdir)
 {
   int one = 1;
@@ -532,7 +532,7 @@ WebsocketListener::WebsocketListener(const struct sockaddr *listenaddr,
     settings.passwdfile = strdup(wexp.we_wordv[0]);
   wordfree(&wexp);
 
-  settings.basicauth = basicauth;
+  settings.disablebasicauth = disablebasicauth;
   settings.cert = cert;
   settings.key = certkey;
   settings.ssl_only = sslonly;
@@ -718,7 +718,7 @@ void network::createTcpListeners(std::list<SocketListener*> *listeners,
 void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
                                  const struct addrinfo *ai,
                                  bool sslonly, const char *cert, const char *certkey,
-                                 const char *basicauth,
+                                 bool disablebasicauth,
                                  const char *httpdir)
 {
   const struct addrinfo *current;
@@ -745,7 +745,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
     try {
       new_listeners.push_back(new WebsocketListener(current->ai_addr,
                                               current->ai_addrlen,
-                                              sslonly, cert, certkey, basicauth,
+                                              sslonly, cert, certkey, disablebasicauth,
                                               httpdir));
     } catch (SocketException& e) {
       // Ignore this if it is due to lack of address family support on
@@ -774,7 +774,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
                                  bool sslonly,
                                  const char *cert,
                                  const char *certkey,
-                                 const char *basicauth,
+                                 bool disablebasicauth,
                                  const char *httpdir)
 {
   if (addr && !strcmp(addr, "local")) {
@@ -802,7 +802,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
     ai[1].ai_addrlen = sizeof(sa[1].u.sin6);
     ai[1].ai_next = NULL;
 
-    createWebsocketListeners(listeners, ai, sslonly, cert, certkey, basicauth, httpdir);
+    createWebsocketListeners(listeners, ai, sslonly, cert, certkey, disablebasicauth, httpdir);
   } else {
     struct addrinfo *ai, hints;
     char service[16];
@@ -825,7 +825,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
                            gai_strerror(result));
 
     try {
-      createWebsocketListeners(listeners, ai, sslonly, cert, certkey, basicauth, httpdir);
+      createWebsocketListeners(listeners, ai, sslonly, cert, certkey, disablebasicauth, httpdir);
     } catch(...) {
       freeaddrinfo(ai);
       throw;
diff --git a/common/network/TcpSocket.h b/common/network/TcpSocket.h
index dd98ce9..3e2dc1e 100644
--- a/common/network/TcpSocket.h
+++ b/common/network/TcpSocket.h
@@ -91,7 +91,7 @@ namespace network {
   public:
     WebsocketListener(const struct sockaddr *listenaddr, socklen_t listenaddrlen,
                       bool sslonly, const char *cert, const char *certkey,
-                      const char *basicauth,
+                      bool disablebasicauth,
                       const char *httpdir);
 
     virtual int getMyPort();
@@ -116,7 +116,7 @@ namespace network {
                           bool sslonly,
                           const char *cert,
                           const char *certkey,
-                          const char *basicauth,
+                          bool disablebasicauth,
                           const char *httpdir);
   void createTcpListeners(std::list<SocketListener*> *listeners,
                           const char *addr,
@@ -128,7 +128,7 @@ namespace network {
                           bool sslonly,
                           const char *cert,
                           const char *certkey,
-                          const char *basicauth,
+                          bool disablebasicauth,
                           const char *httpdir);
 
   typedef struct vnc_sockaddr {
diff --git a/common/network/websocket.c b/common/network/websocket.c
index a035426..f0d7f0b 100644
--- a/common/network/websocket.c
+++ b/common/network/websocket.c
@@ -1152,9 +1152,8 @@ ws_ctx_t *do_handshake(int sock) {
         usleep(10);
     }
 
-    const char *colon;
     unsigned char owner = 0;
-    if ((colon = strchr(settings.basicauth, ':'))) {
+    if (!settings.disablebasicauth) {
         const char *hdr = strstr(handshake, "Authorization: Basic ");
         if (!hdr) {
             handler_emsg("BasicAuth required, but client didn't send any. 401 Unauth\n");
@@ -1179,15 +1178,13 @@ ws_ctx_t *do_handshake(int sock) {
         tmp[len] = '\0';
         len = ws_b64_pton(tmp, response, 256);
 
-        char authbuf[4096];
-        strncpy(authbuf, settings.basicauth, 4096);
-        authbuf[4095] = '\0';
+        char authbuf[4096] = "";
 
         // Do we need to read it from the file?
         char *resppw = strchr(response, ':');
         if (resppw && *resppw)
             resppw++;
-        if (!colon[1] && settings.passwdfile) {
+        if (settings.passwdfile) {
             if (resppw && *resppw && resppw - response < 32) {
                 char pwbuf[4096];
                 struct kasmpasswd_t *set = readkasmpasswd(settings.passwdfile);
diff --git a/common/network/websocket.h b/common/network/websocket.h
index e96fc95..fd00987 100644
--- a/common/network/websocket.h
+++ b/common/network/websocket.h
@@ -71,7 +71,7 @@ typedef struct {
     unsigned int handler_id;
     const char *cert;
     const char *key;
-    const char *basicauth;
+    uint8_t disablebasicauth;
     const char *passwdfile;
     int ssl_only;
     const char *httpdir;
diff --git a/common/rfb/Configuration.cxx b/common/rfb/Configuration.cxx
index ff03a6f..fdfc4d5 100644
--- a/common/rfb/Configuration.cxx
+++ b/common/rfb/Configuration.cxx
@@ -433,8 +433,7 @@ bool StringParameter::setParam(const char* v) {
   if (immutable) return true;
   if (!v)
     throw rfb::Exception("setParam(<null>) not allowed");
-  if (strcasecmp(getName(), "BasicAuth")) // don't log the auth info
-    vlog.debug("set %s(String) to %s", getName(), v);
+  vlog.debug("set %s(String) to %s", getName(), v);
   CharArray oldValue(value);
   value = strDup(v);
   return value != 0;
diff --git a/common/rfb/VNCSConnectionST.cxx b/common/rfb/VNCSConnectionST.cxx
index 05f9282..31bd16e 100644
--- a/common/rfb/VNCSConnectionST.cxx
+++ b/common/rfb/VNCSConnectionST.cxx
@@ -48,7 +48,7 @@ static LogWriter vlog("VNCSConnST");
 
 static Cursor emptyCursor(0, 0, Point(0, 0), NULL);
 
-extern rfb::StringParameter basicauth;
+extern rfb::BoolParameter disablebasicauth;
 
 VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s,
                                    bool reverse)
@@ -1044,13 +1044,12 @@ bool VNCSConnectionST::isShiftPressed()
 bool VNCSConnectionST::getPerms(bool &write, bool &owner) const
 {
   bool found = false;
-  const char *colon = strchr(basicauth, ':');
-  if (!colon || colon[1]) {
-    // We're running without basicauth, or with both user:pass on the command line
+  if (disablebasicauth) {
+    // We're running without basicauth
     write = true;
     return true;
   }
-  if (colon && !colon[1] && user[0]) {
+  if (user[0]) {
     struct kasmpasswd_t *set = readkasmpasswd(kasmpasswdpath);
     unsigned i;
     for (i = 0; i < set->num; i++) {
diff --git a/common/rfb/VNCServerST.cxx b/common/rfb/VNCServerST.cxx
index 404b2eb..7bec158 100644
--- a/common/rfb/VNCServerST.cxx
+++ b/common/rfb/VNCServerST.cxx
@@ -81,7 +81,6 @@ EncCache VNCServerST::encCache;
 //
 
 static char kasmpasswdpath[4096];
-extern rfb::StringParameter basicauth;
 
 // -=- Constructors/Destructor
 
diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man
index 891cc91..809fc1c 100644
--- a/unix/xserver/hw/vnc/Xvnc.man
+++ b/unix/xserver/hw/vnc/Xvnc.man
@@ -339,9 +339,9 @@ are in the same file, use \fB-cert\fP.
 Require SSL for websocket connections. Default off, non-SSL allowed.
 .
 .TP
-.B \-basicAuth \fIuser:pass\fP
-Username and password for websocket connections. Default empty, no authentication required.
-If the password is empty, read it from the \fB-KasmPasswordFile\fP.
+.B \-disableBasicAuth
+Disable basic auth for websocket connections. Default enabled, details read from
+the \fB-KasmPasswordFile\fP.
 .
 .TP
 .B \-SecurityTypes \fIsec-types\fP
diff --git a/unix/xserver/hw/vnc/vncExtInit.cc b/unix/xserver/hw/vnc/vncExtInit.cc
index 057ceb5..99e00dc 100644
--- a/unix/xserver/hw/vnc/vncExtInit.cc
+++ b/unix/xserver/hw/vnc/vncExtInit.cc
@@ -89,7 +89,7 @@ rfb::IntParameter websocketPort("websocketPort", "websocket port to listen for",
 rfb::StringParameter cert("cert", "SSL pem cert to use for websocket connections", "");
 rfb::StringParameter certkey("key", "SSL pem key to use for websocket connections (if separate)", "");
 rfb::BoolParameter sslonly("sslOnly", "Require SSL for websockets", false);
-rfb::StringParameter basicauth("BasicAuth", "user:pass for HTTP basic auth for websockets", "");
+rfb::BoolParameter disablebasicauth("DisableBasicAuth", "Disable basic auth for websockets", false);
 rfb::StringParameter interface("interface",
                                "listen on the specified network address",
                                "all");
@@ -225,7 +225,7 @@ void vncExtensionInit(void)
           if (!noWebsocket)
             network::createWebsocketListeners(&listeners, websocketPort,
                                               localhostOnly ? "local" : addr,
-                                              sslonly, cert, certkey, basicauth, httpDir);
+                                              sslonly, cert, certkey, disablebasicauth, httpDir);
           else if (localhostOnly)
             network::createLocalTcpListeners(&listeners, port);
           else