mosquitto mosquitto cannot prevent brute force password attack

As we know, mosquitto cannot prevent brute force password attack. So I want to know whether wo have a plan to prevent brute force password attack. Wish you all well, thank you!

Feb 05 '21 07:02 fengqiusuo

Firstly, a "password" in MQTT is up to 65535 bytes of data. So its up to you to set it to what you want, and then ensure you can enter the same data on the client. It is only brute forceable if you choose to use a weak password, as MQTT supports 2^524280 permutations of passwords, which is absolutely not brute forceable.

If you are using 'weak' passwords, "mosquitto_passwd" has a (undocumented?) -I option to set iteration count for password hashing. When user sends a password, it is hashed and compared to the stored hashed value. A higher iteration count means the password is stored having gone through more hash cycles, so when the comparison is done at user login attempt, the server has to do more hash cycles, and will take longer to reject or accept clients. You can set this as high as you want to make the login attempt longer and longer to prevent brute forcing in a reasonable time period.

Thirdly if you are still worried about security, you should issue each client a client certificate. Mosquitto can be set to authenticate clients via certificates.

Feb 06 '21 02:02 sectokia

OK，thank you very much. I'll think about it again.

Feb 07 '21 02:02 fengqiusuo

This isn't on my list of priorities right now, but I agree it would be useful. If you're interested in making it happen I can offer guidance. It might actually be well suited to being a plugin.