diff --git a/scripts/base/protocols/http/main.zeek b/scripts/base/protocols/http/main.zeek
index 0f65c6b984..e334a83253 100644
--- a/scripts/base/protocols/http/main.zeek
+++ b/scripts/base/protocols/http/main.zeek
@@ -338,8 +338,8 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 			if ( /^[bB][aA][sS][iI][cC] / in value )
 				{
 				local userpass = decode_base64_conn(c$id, sub(value, /[bB][aA][sS][iI][cC][[:blank:]]+/, ""));
-				local up = split_string(userpass, /:/);
-				if ( |up| >= 2 )
+				local up = split_string1(userpass, /:/);
+				if ( |up| == 2 )
 					{
 					c$http$username = up[0];
 					if ( c$http$capture_password )
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log
new file mode 100644
index 0000000000..e386f15fb5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.24.133.205	43090	172.24.133.205	8000	1	GET	172.24.133.205:8000	/	-	1.0	python-requests/2.31.0	-	0	643	200	OK	-	-	(empty)	test	1:34	-	-	-	-	FM4Ls72L4REzbA61lg	-	text/html
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/http/basic-auth-with-colon.trace b/testing/btest/Traces/http/basic-auth-with-colon.trace
new file mode 100644
index 0000000000..c1b03b6ecb
Binary files /dev/null and b/testing/btest/Traces/http/basic-auth-with-colon.trace differ
diff --git a/testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek b/testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek
new file mode 100644
index 0000000000..6cef93eba7
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek
@@ -0,0 +1,8 @@
+# Authorization: Basic password has a colon in its value
+#
+# @TEST-EXEC: zeek -b -r $TRACES/http/basic-auth-with-colon.trace %INPUT
+# @TEST-EXEC: btest-diff http.log
+
+@load base/protocols/http
+
+redef HTTP::default_capture_password = T;