[standards-jig] JEP-0077 Password Changing Security Flaw
tomek at smoczy.net
Fri Jan 23 20:07:52 UTC 2004
W liście z pią, 23-01-2004, godz. 06:02, JD Conley pisze:
> I'm not talking about
> security in that context. I'm talking about a flaw in the protocol.
What You are describing is a flaw in a client, not in the protocol.
There is no way of changing the password without knowing the current
one. You need to auth first to make a change.
I see no reason for requiring it twice.
You already proven that you are a legitimate user.
Every "other implementation" you described is a client-side
implementation. It is a /bin/passwd program or windows "change password
prompt window" that is protecting you from malicious coworkers.
Same should jabber client do.
More information about the Standards