[Catalyst] Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

J. Shirley jshirley at gmail.com
Thu Apr 8 01:23:22 GMT 2010

On Wed, Apr 7, 2010 at 6:15 PM, Toby Corkindale
<toby.corkindale at strategicdata.com.au> wrote:
> So, a while back there was some.. slightly heated.. discussion about
> security issues with C-P-A-Password.. or perhaps one of the modules it uses
> internally.. in certain cases, if certain options are, or are not, set. Then
> it quietened down without any apparent conclusion being reached.
> Now that some time has passed, I wondered if someone could provide a
> synopsis of the outcome of these investigations and discussions?
> In short:
>  * In what circumstances was an attack possible?
>   ie. What combination of modules, options, auth methods.
>  * Which versions were vulnerable, and if any, at what version were they
> fixed, if any?
>  * What mitigating factors can be applied to existing systems to reduce
> their vulnerability to the attack?
> Thanks,
> Toby

In my opinion, a non-issue from the start unless you specifically
enable the "I want a weak crypt" option.

C::P::A defers to Crypt::SaltedHash, which handles everything fine.

The ticket is still open because Evan is going to look into it further.

You can follow the ticket at


More information about the Catalyst mailing list