diff --git a/mechanize/_urllib2_fork.py b/mechanize/_urllib2_fork.py
index 37ceec2..6369923 100644
--- a/mechanize/_urllib2_fork.py
+++ b/mechanize/_urllib2_fork.py
@@ -875,8 +875,15 @@ class AbstractBasicAuthHandler:
 
     # allow for double- and single-quoted realm values
     # (single quotes are a violation of the RFC, but appear in the wild)
-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
-                    'realm=(["\'])(.*?)\\2', re.I)
+    rx = re.compile('(?:^|,)'     # start of the string or ','
+                    '[ \t]*'      # optional whitespaces
+                    '([^ \t,]+)'  # scheme like "Basic"
+                    '[ \t]+'      # mandatory whitespaces
+                    # realm=xxx
+                    # realm='xxx'
+                    # realm="xxx"
+                    'realm=(["\']?)([^"\']*)\\2',
+                    re.I)
 
     # XXX could pre-emptively send auth info already accepted (RFC 2617,
     # end of section 2, and section 1.2 immediately after "credentials"
diff --git a/test/test_urllib2.py b/test/test_urllib2.py
index ca17076..6013e6b 100644
--- a/test/test_urllib2.py
+++ b/test/test_urllib2.py
@@ -24,7 +24,7 @@
     HTTPCookieProcessor, HTTPRefererProcessor, \
     HTTPErrorProcessor, HTTPHandler
 from mechanize import OpenerDirector, build_opener, Request
-from mechanize._urllib2_fork import AbstractHTTPHandler, normalize_url
+from mechanize._urllib2_fork import AbstractHTTPHandler, normalize_url, AbstractBasicAuthHandler
 from mechanize._util import write_file
 
 import mechanize._response
@@ -69,6 +69,10 @@ def test_parse_http_list(self):
             self.assertEqual(
                 mechanize._urllib2_fork.parse_http_list(string), list)
 
+    def test_parse_authreq(self):
+        for bad in (",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",):
+            self.assertIsNone(AbstractBasicAuthHandler.rx.search(bad))
+
 
 def test_request_headers_dict():
     """