Cleartext Password Transmission

Hi There,

I am just getting started with MQTT and Mosquitto. I have a Shelly Flood Sensor I connect to the Mosquitto Broker on a Pi.

Because the Password file of Mosquitto creates a Password Hash I was hopeful that unencrypted MQTT Traffic uses at least the hash to Authenticate at the Broker. Well a Traffic Capture revealed something else.

I asked my Teacher about this and he said, that this is the norm. ChatGPT on the otherhand does not confirm this. Therefore i am looking for some confirmation.

Now i am aware that TLS would fix the issue. Unfortunatley i don’t have a device that supports TLS.

Thanks for your Help!

you teacher is right about it. In the OASIS-Spec for the MQTT for the network protocol all data will be senD aS clear text. And the password has to be sent in clear text as well. (same for the V5.0 protocol version).
But from security aspect it would make no different, if the client would send the HASH value instead. In both cases anyone being able to capture the network traffic will be able to use the client identity.
This is one reason, why we highly recommend to use an encrypted MQTTS transport to secure this data.