File Authentication

Version: 3.1.0
License: Apache v2

The File Authentication Plugin is the first plugin, which adds the capability of client authentication to HiveMQ. In the case of this plugin the credentials consist of username and password and are read from a file.

Installation with Sample Configuration 

  • Follow the standard installation guide on the official HiveMQ documentation
  • Copy the supplied and in the plugin folder as well.
  • Start/Restart HiveMQ
  • Use a MQTT client of your choice and provide username/password: hivemq-user1/user1

This sample installation shows a simple and quick way to get started with the plugin. Therefore the pre-configuration uses no hashing for the passwords and has predefined username/password combinations. If you are using this plugin in production a more secure setup is essential. The various configuration options are explained in the following.

Configuration Options 

The plugin can be configured with the file, which needs to be placed in the conf folder in your HiveMQ home directory.

Property NameDefault ValueDescription
filenamecredentials.propertiesThis property specifies the name of the file, which contains the credentials of the users. Please notice that the file has to be in the plugins folder.
reloadCredentialsInterval.seconds10Returns the interval after which the credentials file is checked, if new credentials were added.
passwordHashing.enabledfalseSpecifies if the password is stored in plaintext or as hash. If this is set to false all other configuration properties except filename and reloadCredentialsInterval.seconds are ignored.
passwordHashing.algorithmSHA-512Here the hashing algorithm used during the creation of the passwords can be declared. HiveMQ is supporting all hashing algorithms provided by the Java Virtual Maschine (MD2, MD5, SHA, SHA-256, SHA-384, SHA-512). Recommended for use is SHA-256 and above, because the others are not considered secure.
passwordHashing.iterations100Customizes the number of hashing iterations used.
passwordHashingSalt.enabledtrueConfigures if a salt has been used during the hash generation. If this is set to false the following options are ignored.
passwordHashingSalt.separationChar$Defines the character used in the credential file to separate the salt from the hash.
passwordHashingSalt.isFirsttrueSpecifies the order of hash and salt. If this is set to true, the salt is in front of the hash (salt$hash), if this option is false the salt is placed after the hash (hash$salt)


The second file needed for the plugin to work successfully is the credentials file, which is a Java Property File. So in each line one username/password combination can be specified. Depending on the configuration options a line looks like one of the following:

It is not possible to specify different formats for passwords of different users in one file, therefore all lines must contain the same format.

Production-ready Configuration 

The displayed configuration shows a production-ready implementation, which uses SHA 512, 1 million iterations and salting.

Create and Modify the credential file

After having copied this configuration into the, the credential file has to be improved, too. Now as hashing and salting is enabled the passwords have to be stored in same format.

This can be done easily with the supplied utility:

  • Make sure the have your desired settings
  • Delete the provided
  • Start utility with:
  • Configure the utility with:
  • Create as many user as you need with:
  • Show all user:
  • Done!