[Catalyst] Outcome of the "Security issue with hashed passwords
jshirley at gmail.com
Thu Apr 8 01:23:22 GMT 2010
On Wed, Apr 7, 2010 at 6:15 PM, Toby Corkindale
<toby.corkindale at strategicdata.com.au> wrote:
> So, a while back there was some.. slightly heated.. discussion about
> security issues with C-P-A-Password.. or perhaps one of the modules it uses
> internally.. in certain cases, if certain options are, or are not, set. Then
> it quietened down without any apparent conclusion being reached.
> Now that some time has passed, I wondered if someone could provide a
> synopsis of the outcome of these investigations and discussions?
> In short:
> * In what circumstances was an attack possible?
> ie. What combination of modules, options, auth methods.
> * Which versions were vulnerable, and if any, at what version were they
> fixed, if any?
> * What mitigating factors can be applied to existing systems to reduce
> their vulnerability to the attack?
In my opinion, a non-issue from the start unless you specifically
enable the "I want a weak crypt" option.
C::P::A defers to Crypt::SaltedHash, which handles everything fine.
The ticket is still open because Evan is going to look into it further.
You can follow the ticket at
More information about the Catalyst