[standards-jig] JEP-0077 Password Changing Security Flaw

Chris Mullins cmullins at winfessor.com
Fri Jan 23 05:10:56 UTC 2004

Not having this in there deviates from the best practices for pretty
much every existing modern system. 

Windows does this, all flavors of Unix do this, everything and it's
brother do this. Having the old password in there is important.

Having the old password in there as a Hash (MD5/SHA1) with perhaps the
Session ID added as a Salt value would be good to - although slightly
pointless as the new password is sitting there as plain-text. 

Chris Mullins

-----Original Message-----
From: JD Conley 
Sent: Thursday, January 22, 2004 8:29 PM
To: standards-jig at jabber.org
Subject: [standards-jig] JEP-0077 Password Changing Security Flaw

I know this spec has been around forever, but it has come to my
attention that it carries with it a crucial security flaw.  You can
change a password without knowing the original password.  Yes, I know
you have to be authed.  What if someone could walk up to a shell you
happened to leave open, type "passwd" and proceed to set a new password
for you?  This is exactly what can happen with the current protocol.

Let's say I walk away from my PC and leave my Jabber client running.  My
arch enemy Evil Coworker decides to change my password.  Since I'm
already logged in, all he has to do is enter the new password.  He can
then go over to his own desk, log-in as me, and tarnish my squeky clean

The answer for avoiding this situation is simple.  All we have to do is
enforce that both the old and new passwords are sent in the password
change request.  This is how every other password system I've ever seen

<iq type="set">
    <query xmlns="jabber:iq:register">


Standards-JIG mailing list
Standards-JIG at jabber.org

More information about the Standards mailing list