[standards-jig] JEP-0077 Password Changing Security Flaw

JD Conley jconley at winfessor.com
Fri Jan 23 06:24:50 UTC 2004


Exactly.

What would we all say about Microsoft if you were allowed to change your
Active Directory or NT Domain password without knowing the old one?

JD 

> -----Original Message-----
> From: Chris Mullins 
> Sent: Thursday, January 22, 2004 10:01 PM
> To: standards-jig at jabber.org
> Subject: RE: [standards-jig] JEP-0077 Password Changing Security Flaw
> 
> 
> While plain-text passwords are certainly worrisome, at least 
> the option
> is there to send them over a SSL/TLS stream. In fact many servers
> REQUIRE the connection to be over a SSL/TLS stream, making the
> plain-text a little bit less significant that it would otherwise be. 
> 
> There is still no drawback, and significant benefit, to requiring the
> old password. 
> 
> -- 
> Chris
> 
> -----Original Message-----
> From: Joe Hildebrand [mailto:jhildebrand at jabber.com] 
> Sent: Thursday, January 22, 2004 9:52 PM
> To: standards-jig at jabber.org
> Subject: Re: [standards-jig] JEP-0077 Password Changing Security Flaw
> 
> And you're not worried about sending the password in plain text?
> 
> This is why we didn't put any iq:register or iq:auth in the IETF spec.
> 
> -- 
> Joe Hildebrand
> 
> On Jan 22, 2004, at 10:02 PM, JD Conley wrote:
> 
> > Obviously you should lock your workstation.  I'm not talking about
> > security in that context.  I'm talking about a flaw in the protocol.
> >
> > There's nothing to stop them from being as malicious as they want.
> But
> > they sure couldn't change your domain or local passwords, 
> and go login
> > at their own workstation.  To do that they'd have to enter 
> in your old
> > password.  I think the more security in place, the better.  
> Especially
> > when it's something so simple.
> >
> > JD
> >
> >> -----Original Message-----
> >> From: Matthew A. Miller [mailto:linuxwolf at outer-planes.net]
> >> Sent: Thursday, January 22, 2004 8:46 PM
> >> To: standards-jig at jabber.org
> >> Subject: Re: [standards-jig] JEP-0077 Password Changing 
> Security Flaw
> >>
> >> Or you could lock your workstation.  If someone malicious 
> haa enough
> >> access to your workstation to change that password, what's to
> >> stop them
> >> from using your e-mail client?  Or deleting all your 
> critical files?
> >>
> >> I think having your Evil Coworker changing your Jabber
> >> account password
> >> is the least of your worries...
> >>
> >>
> >> -  LW
> >>
> >> Dudley Carr wrote:
> >>
> >>> JD Conley wrote:
> >>>
> >>>> I know this spec has been around forever, but it has come to my
> >>>> attention that it carries with it a crucial security 
> flaw.  You can
> >>>> change a password without knowing the original password.
> >> Yes, I know
> >>>> you have to be authed.  What if someone could walk up to a
> >> shell you
> >>>> happened to leave open, type "passwd" and proceed to set a
> >> new password
> >>>> for you?  This is exactly what can happen with the current
> >> protocol.
> >>>>
> >>>> Let's say I walk away from my PC and leave my Jabber
> >> client running.  My
> >>>> arch enemy Evil Coworker decides to change my password.  
> Since I'm
> >>>> already logged in, all he has to do is enter the new
> >> password.  He can
> >>>> then go over to his own desk, log-in as me, and tarnish my
> >> squeky clean
> >>>> reputation.
> >>>>
> >>>> The answer for avoiding this situation is simple.  All we
> >> have to do is
> >>>> enforce that both the old and new passwords are sent in
> >> the password
> >>>> change request.  This is how every other password system
> >> I've ever seen
> >>>> works.
> >>>
> >>>
> >>> Or the client could just prompt you for the old and new password,
> >>> check the old password against the password used when logging-in
> >>> (assuming the client saved it), and send off the request if
> >> and only
> >>> if the passwords matched.
> >>> _______________________________________________
> >>> Standards-JIG mailing list
> >>> Standards-JIG at jabber.org
> >>> http://mailman.jabber.org/listinfo/standards-jig
> >>
> >>
> >> _______________________________________________
> >> Standards-JIG mailing list
> >> Standards-JIG at jabber.org
> >> http://mailman.jabber.org/listinfo/standards-jig
> >>
> > _______________________________________________
> > Standards-JIG mailing list
> > Standards-JIG at jabber.org
> > http://mailman.jabber.org/listinfo/standards-jig
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
> 



More information about the Standards mailing list