[Catalyst] Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Andrew Rodland andrew at cleverdomain.org
Thu Apr 8 06:21:15 GMT 2010

>   * In what circumstances was an attack possible?
>     ie. What combination of modules, options, auth methods.

* You use Catalyst::Authentication::Credential::Password.
* With the "hashed" password_type.
* And your database is compromised.

>   * Which versions were vulnerable, and if any, at what version were
> they fixed, if any?

All versions. "hashed" shouldn't be used except by those who have broken and 
stupid user databases; fixing it isn't possible. What we perhaps *should* do 
is warn when it's used, and do a better job of marking it as unsuitable for 
use in the perldoc.

>   * What mitigating factors can be applied to existing systems to reduce
> their vulnerability to the attack?

* Use password_type = "salted_hash" to get salted hashes.
* Or use password_type = "self_check" and a store that provides secure 
password handling via the user object, e.g. 
Catalyst::Authentication::Store::DBIx::Class w/ DBIx::Class::EncodedColumn on 
the user table, or Catalyst::Authentication::Store::LDAP (plus a suitable 
configuration on your LDAP server; some of them will allow you to do stupid 
things like plaintext passwords, but we can't help that).
* If you have a user database that uses plain hashed passwords, start figuring 
out how to change over to a proper method and how to force all of your users 
to reset their passwords.

More information about the Catalyst mailing list