sectokia
commented
3 years ago Firstly, a "password" in MQTT is up to 65535 bytes of data. So its up to you to set it to what you want, and then ensure you can enter the same data on the client. It is only brute forceable if you choose to use a weak password, as MQTT supports 2^524280 permutations of passwords, which is absolutely not brute forceable.
If you are using 'weak' passwords, "mosquitto_passwd" has a (undocumented?) -I option to set iteration count for password hashing. When user sends a password, it is hashed and compared to the stored hashed value. A higher iteration count means the password is stored having gone through more hash cycles, so when the comparison is done at user login attempt, the server has to do more hash cycles, and will take longer to reject or accept clients. You can set this as high as you want to make the login attempt longer and longer to prevent brute forcing in a reasonable time period.
Thirdly if you are still worried about security, you should issue each client a client certificate. Mosquitto can be set to authenticate clients via certificates.
fengqiusuo
ralight
jsopenrb
kri164
lcse66
As we know, mosquitto cannot prevent brute force password attack. So I want to know whether wo have a plan to prevent brute force password attack. Wish you all well, thank you!