[standards-jig] JEP-0077 Password Changing Security Flaw

JD Conley jconley at winfessor.com
Fri Jan 23 20:21:12 UTC 2004


Interesting thought. . .

So perhaps we need a directive that clients SHOULD (or MUST maybe?) request both the old and new password, attempt to auth on another stream with the old password and then, if successful, set the new password.  This would make me happy if changing the protocol is out of the question.

JD

> -----Original Message-----
> From: Tomasz Sterna [mailto:tomek at smoczy.net] 
> Sent: Friday, January 23, 2004 12:08 PM
> To: standards-jig at jabber.org
> Subject: RE: [standards-jig] JEP-0077 Password Changing Security Flaw
> 
> W liście z pią, 23-01-2004, godz. 06:02, JD Conley pisze: 
> > I'm not talking about
> > security in that context.  I'm talking about a flaw in the protocol.
> 
> What You are describing is a flaw in a client, not in the protocol.
> 
> There is no way of changing the password without knowing the current
> one. You need to auth first to make a change.
> 
> I see no reason for requiring it twice.
> You already proven that you are a legitimate user.
> 
> Every "other implementation" you described is a client-side
> implementation. It is a /bin/passwd program or windows 
> "change password
> prompt window" that is protecting you from malicious coworkers.
> Same should jabber client do.
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
> 



More information about the Standards mailing list