[standards-jig] JEP-0077 Password Changing Security Flaw

Dudley Carr dudley at cs.stanford.edu
Fri Jan 23 04:42:14 UTC 2004

JD Conley wrote:

> I know this spec has been around forever, but it has come to my
> attention that it carries with it a crucial security flaw.  You can
> change a password without knowing the original password.  Yes, I know
> you have to be authed.  What if someone could walk up to a shell you
> happened to leave open, type "passwd" and proceed to set a new password
> for you?  This is exactly what can happen with the current protocol.
> Let's say I walk away from my PC and leave my Jabber client running.  My
> arch enemy Evil Coworker decides to change my password.  Since I'm
> already logged in, all he has to do is enter the new password.  He can
> then go over to his own desk, log-in as me, and tarnish my squeky clean
> reputation.
> The answer for avoiding this situation is simple.  All we have to do is
> enforce that both the old and new passwords are sent in the password
> change request.  This is how every other password system I've ever seen
> works.  

Or the client could just prompt you for the old and new password, check the old 
password against the password used when logging-in (assuming the client saved 
it), and send off the request if and only if the passwords matched.

More information about the Standards mailing list