[Catalyst] Storing a password hash with DBIC

Jonathan Rockway jon at jrock.us
Thu Aug 10 20:16:27 CEST 2006

Renaud Drousies wrote:
> That's why the password should be mixed with a challenge string before
> being hashed and sent over the network.

This is also not a good solution.  The server still needs to know some
computable variant of the cleartext password in order for this to work.

Feel free to hash passwords in your database so that if the database is
compromised you don't just give out cleartext passwords.  This worked
for UNIX's /etc/passwd for a while, but there's a reason they moved to
shadow passwords.  Given a hash, cracking passwords is easy.

The correct solution to the password issue is to use SSL.  For
everything.  (Compromising the login cookie is just as good as a
password, so you'd better transfer those over SSL too.)

Anyway, we could go back and forth on how challenge/response hashes are
"good enough", and I guess they are, but it's a lot *easier* to use
strong cryptography and guarantee that your passwords aren't going to be
compromised in band.  Just load mod_ssl into Apache, and you're done!

(Someone could still brute force login attempts, but that's extremely
easy to detect.   Again, think UNIX /etc/shadow.)

Jonathan Rockway

More information about the Catalyst mailing list