[standards-jig] JEP-0077 Password Changing Security Flaw

JD Conley jconley at winfessor.com
Fri Jan 23 21:22:58 UTC 2004


Windows, Unix, and Mac operating systems as well as numerous network applications require users to enter their old password before changing it.  They have authentication mechanisms too, and generally when you change your password you are already authenticated.

All I'm trying to say is, why is our network application special?  Why do we not require the old password?  There must be some reason everythingthing else requires it.

JD

> -----Original Message-----
> From: Justin Karneges 
> [mailto:justin-keyword-jabber.093179 at affinix.com] 
> Sent: Friday, January 23, 2004 12:56 PM
> To: standards-jig at jabber.org
> Subject: Re: [standards-jig] JEP-0077 Password Changing Security Flaw
> 
> Clients that provide an XML window could still be compromised 
> by manually 
> entering the password-changing XML.
> 
> There are also other interesting things you can do with such 
> XML windows, like 
> enabling 'Plaintext login' and then authenticating while the 
> XML window is 
> open.  Of course, the user would need his password saved to 
> disk for this to 
> work, which is generally easy for an attacker to retrieve anyway..
> 
> I hate to repeat the same old "don't let an untrusted person use your 
> computer" mantra, as it is not very productive, but I'm not 
> sure of any other 
> good solution.  I suppose the client could be more 
> locked-down so that there 
> is no XML window, but at that point you may as well just lock 
> your desktop.
> 
> -Justin
> 
> On Friday 23 January 2004 12:21 pm, JD Conley wrote:
> > Interesting thought. . .
> >
> > So perhaps we need a directive that clients SHOULD (or MUST 
> maybe?) request
> > both the old and new password, attempt to auth on another 
> stream with the
> > old password and then, if successful, set the new password. 
>  This would
> > make me happy if changing the protocol is out of the question.
> >
> > JD
> >
> > > -----Original Message-----
> > > From: Tomasz Sterna [mailto:tomek at smoczy.net]
> > > Sent: Friday, January 23, 2004 12:08 PM
> > > To: standards-jig at jabber.org
> > > Subject: RE: [standards-jig] JEP-0077 Password Changing 
> Security Flaw
> > >
> > > W liście z pią, 23-01-2004, godz. 06:02, JD Conley pisze:
> > > > I'm not talking about
> > > > security in that context.  I'm talking about a flaw in 
> the protocol.
> > >
> > > What You are describing is a flaw in a client, not in the 
> protocol.
> > >
> > > There is no way of changing the password without knowing 
> the current
> > > one. You need to auth first to make a change.
> > >
> > > I see no reason for requiring it twice.
> > > You already proven that you are a legitimate user.
> > >
> > > Every "other implementation" you described is a client-side
> > > implementation. It is a /bin/passwd program or windows
> > > "change password
> > > prompt window" that is protecting you from malicious coworkers.
> > > Same should jabber client do.
> > >
> > > _______________________________________________
> > > Standards-JIG mailing list
> > > Standards-JIG at jabber.org
> > > http://mailman.jabber.org/listinfo/standards-jig
> >
> > _______________________________________________
> > Standards-JIG mailing list
> > Standards-JIG at jabber.org
> > http://mailman.jabber.org/listinfo/standards-jig
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
> 



More information about the Standards mailing list