Since MQTT is very simple to get started with, both from an application user perspective and a protocol developer perspective, it has become very popular for use in IoT. But the simplicity has its drawbacks. MQTT has some serious vulnerabilities that any developer using it must be made aware of.
One of the biggest vulnerabilities is its management of passwords. They are sent in clear text in the protocol. And MQTT does not use a pluggable authentication architecture like the Simple Authentication and Security Layer (SASL) either. This causes a whole range of problems. If passwords are to be used, the application must persist them. If SASL would have been used, a hash would most likely have been sufficient. This creates a whole new set of vulnerabilities for the application layer.
The common solution is to use either encryption or out-of-band authentication, or a combination of both instead. But out-of-band authentication is not a standardized...