From 798400210d60a0f82e9c38d32c1e1b69769e8985 Mon Sep 17 00:00:00 2001 From: Guus der Kinderen Date: Fri, 5 Jan 2024 10:41:46 +0100 Subject: [PATCH] XEP-0133: Retract 'Get User Password' command Retrieving a password implies storage of plaintext passwords. That's no longer an acceptable practice. --- xep-0133.xml | 96 +++++----------------------------------------------- 1 file changed, 9 insertions(+), 87 deletions(-) diff --git a/xep-0133.xml b/xep-0133.xml index 4fadc78b..119d0faa 100644 --- a/xep-0133.xml +++ b/xep-0133.xml @@ -21,6 +21,12 @@ admin &stpeter; + + 1.3 + 2024-01-04 + gdk + Removed use case 'Get User Password', which violates best-practices with regard to security. + 1.2 2017-07-15 @@ -110,7 +116,7 @@
  • Disable User
  • Re-Enable User
  • End User Session
  • -
  • Get User Password
  • +
  • Get User Password (retracted)
  • Change User Password
  • Get User Roster
  • Get User Last Login Time
  • @@ -539,92 +545,8 @@ ]]> - -

    An administrator may need to retrieve a user's password. The command node for this use case SHOULD be "http://jabber.org/protocol/admin#get-user-password".

    -

    A sample protocol flow for this use case is shown below.

    - - - -]]> -

    Unless an error occurs (see the Error Handling section below), the service SHOULD return the appropriate form.

    - - - - Getting a User's Password - Fill out this form to get a user's password. - - http://jabber.org/protocol/admin - - - - - - - -]]> -

    Note: If the entity is an end user, the JID SHOULD be of the form <user@host>, not <user@host/resource>.

    - - - - - http://jabber.org/protocol/admin - - - juliet@shakespeare.lit - - - - -]]> -

    Naturally, the data form included in the IQ result will include the user's password.

    - - - - - http://jabber.org/protocol/admin - - - juliet@shakespeare.lit - - - R0m30 - - - - -]]> + +

    Up to and including revision 1.2 of this XEP, this section defined a command that could be used to retrieve a user's password. This implies that the implementation stores plaintext passwords, a practise that is a well-documented vulnerabilityOWASP: Password Plaintext Storage <https://owasp.org/www-community/vulnerabilities/Password_Plaintext_Storage>. This command has therefore been retracted from this XEP. To retain section numbering, this text replaces the command definition that previously existed in this section.

    An administrator may need to change a user's password. The command node for this use case SHOULD be "http://jabber.org/protocol/admin#change-user-password".