It’s tempting to use quick examples without credentials, but in a real-world scenario you must authenticate your MQTT client. In this post we’ll show how to add basic authentication in C# and discuss brute-force risks and how to mitigate them.
Basic Authentication Setup
Using the MQTTnet library, simply call .WithCredentials()
when building the client options:
using MQTTnet;
using MQTTnet.Client;
using MQTTnet.Client.Options;
using System;
using System.Text;
using System.Threading.Tasks;
class Program
{
static async Task Main()
{
var options = new MqttClientOptionsBuilder()
.WithTcpServer("broker.hivemq.com", 1883)
.WithClientId("dotnet-iot-secure-demo")
.WithCredentials("myUser", "myStrongPassword") // ← basic authentication
.Build();
var factory = new MqttFactory();
var client = factory.CreateMqttClient();
client.UseConnectedHandler(async _ =>
{
Console.WriteLine("Connected with basic authentication");
await client.SubscribeAsync("iot/door/status");
});
client.UseApplicationMessageReceivedHandler(e =>
{
var payload = Encoding.UTF8.GetString(e.ApplicationMessage.Payload);
Console.WriteLine($"Message received: {payload}");
});
await client.ConnectAsync(options);
Console.WriteLine("Press ENTER to exit...");
Console.ReadLine();
}
}
Note: Even with username/password, it’s critical that your broker and client use TLS (port 8883) so credentials aren’t sent in plaintext.
Best Practices to Harden Security Strong Passwords
Use ≥16 characters and mix uppercase, lowercase, numbers, and symbols.
Attempt Limiting
Lock out after N failed attempts (e.g., 5 failures → 5-minute lock).
IP Filtering
Restrict connections to trusted IP ranges (e.g., your corporate network).
Enforce TLS
Never transmit credentials in plaintext; require TLS on both client and broker. .WithTls
Credential Rotation
Change usernames/passwords regularly (every 3–6 months).
Monitoring & Alerts
Log failed logins and set up alerts when thresholds are exceeded.
Top comments (0)