[standards-jig] JEP-0077 Password Changing Security Flaw

Chris Mullins cmullins at winfessor.com
Fri Jan 23 06:00:58 UTC 2004


While plain-text passwords are certainly worrisome, at least the option
is there to send them over a SSL/TLS stream. In fact many servers
REQUIRE the connection to be over a SSL/TLS stream, making the
plain-text a little bit less significant that it would otherwise be. 

There is still no drawback, and significant benefit, to requiring the
old password. 

-- 
Chris

-----Original Message-----
From: Joe Hildebrand [mailto:jhildebrand at jabber.com] 
Sent: Thursday, January 22, 2004 9:52 PM
To: standards-jig at jabber.org
Subject: Re: [standards-jig] JEP-0077 Password Changing Security Flaw

And you're not worried about sending the password in plain text?

This is why we didn't put any iq:register or iq:auth in the IETF spec.

-- 
Joe Hildebrand

On Jan 22, 2004, at 10:02 PM, JD Conley wrote:

> Obviously you should lock your workstation.  I'm not talking about
> security in that context.  I'm talking about a flaw in the protocol.
>
> There's nothing to stop them from being as malicious as they want.
But
> they sure couldn't change your domain or local passwords, and go login
> at their own workstation.  To do that they'd have to enter in your old
> password.  I think the more security in place, the better.  Especially
> when it's something so simple.
>
> JD
>
>> -----Original Message-----
>> From: Matthew A. Miller [mailto:linuxwolf at outer-planes.net]
>> Sent: Thursday, January 22, 2004 8:46 PM
>> To: standards-jig at jabber.org
>> Subject: Re: [standards-jig] JEP-0077 Password Changing Security Flaw
>>
>> Or you could lock your workstation.  If someone malicious haa enough
>> access to your workstation to change that password, what's to
>> stop them
>> from using your e-mail client?  Or deleting all your critical files?
>>
>> I think having your Evil Coworker changing your Jabber
>> account password
>> is the least of your worries...
>>
>>
>> -  LW
>>
>> Dudley Carr wrote:
>>
>>> JD Conley wrote:
>>>
>>>> I know this spec has been around forever, but it has come to my
>>>> attention that it carries with it a crucial security flaw.  You can
>>>> change a password without knowing the original password.
>> Yes, I know
>>>> you have to be authed.  What if someone could walk up to a
>> shell you
>>>> happened to leave open, type "passwd" and proceed to set a
>> new password
>>>> for you?  This is exactly what can happen with the current
>> protocol.
>>>>
>>>> Let's say I walk away from my PC and leave my Jabber
>> client running.  My
>>>> arch enemy Evil Coworker decides to change my password.  Since I'm
>>>> already logged in, all he has to do is enter the new
>> password.  He can
>>>> then go over to his own desk, log-in as me, and tarnish my
>> squeky clean
>>>> reputation.
>>>>
>>>> The answer for avoiding this situation is simple.  All we
>> have to do is
>>>> enforce that both the old and new passwords are sent in
>> the password
>>>> change request.  This is how every other password system
>> I've ever seen
>>>> works.
>>>
>>>
>>> Or the client could just prompt you for the old and new password,
>>> check the old password against the password used when logging-in
>>> (assuming the client saved it), and send off the request if
>> and only
>>> if the passwords matched.
>>> _______________________________________________
>>> Standards-JIG mailing list
>>> Standards-JIG at jabber.org
>>> http://mailman.jabber.org/listinfo/standards-jig
>>
>>
>> _______________________________________________
>> Standards-JIG mailing list
>> Standards-JIG at jabber.org
>> http://mailman.jabber.org/listinfo/standards-jig
>>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig

_______________________________________________
Standards-JIG mailing list
Standards-JIG at jabber.org
http://mailman.jabber.org/listinfo/standards-jig



More information about the Standards mailing list