Cleartext Password Transmission

mguler · April 22, 2023, 4:23pm

Hi There,

I am just getting started with MQTT and Mosquitto. I have a Shelly Flood Sensor I connect to the Mosquitto Broker on a Pi.

Because the Password file of Mosquitto creates a Password Hash I was hopeful that unencrypted MQTT Traffic uses at least the hash to Authenticate at the Broker. Well a Traffic Capture revealed something else.

I asked my Teacher about this and he said, that this is the norm. ChatGPT on the otherhand does not confirm this. Therefore i am looking for some confirmation.

Now i am aware that TLS would fix the issue. Unfortunatley i don’t have a device that supports TLS.

Thanks for your Help!

norbert · April 26, 2023, 1:31pm

Hi,
you teacher is right about it. In the OASIS-Spec for the MQTT for the network protocol all data will be senD aS clear text. And the password has to be sent in clear text as well. (same for the V5.0 protocol version).
But from security aspect it would make no different, if the client would send the HASH value instead. In both cases anyone being able to capture the network traffic will be able to use the client identity.
This is one reason, why we highly recommend to use an encrypted MQTTS transport to secure this data.
Best,
Norbert

Topic		Replies	Views
Mqtt tls-psk with auth in offline network Mosquitto MQTT Broker	4	843	September 20, 2022
Mosquitto Bridge and Broker setup questions Mosquitto MQTT Broker	6	1034	March 25, 2023
Micropython TLS connection to Mosquitto from Pico W Mosquitto MQTT Broker	2	251	January 29, 2023
How to use unencrypted, authenticated access? Mosquitto MQTT Broker	4	176	June 14, 2023
MQTT SSL Setup on windows Mosquitto MQTT Broker	1	168	August 28, 2023

Cleartext Password Transmission

Related Topics