[Catalyst] Outcome of the "Security issue with hashed passwords
andrew at cleverdomain.org
Thu Apr 8 06:21:15 GMT 2010
> * In what circumstances was an attack possible?
> ie. What combination of modules, options, auth methods.
* You use Catalyst::Authentication::Credential::Password.
* With the "hashed" password_type.
* And your database is compromised.
> * Which versions were vulnerable, and if any, at what version were
> they fixed, if any?
All versions. "hashed" shouldn't be used except by those who have broken and
stupid user databases; fixing it isn't possible. What we perhaps *should* do
is warn when it's used, and do a better job of marking it as unsuitable for
use in the perldoc.
> * What mitigating factors can be applied to existing systems to reduce
> their vulnerability to the attack?
* Use password_type = "salted_hash" to get salted hashes.
* Or use password_type = "self_check" and a store that provides secure
password handling via the user object, e.g.
Catalyst::Authentication::Store::DBIx::Class w/ DBIx::Class::EncodedColumn on
the user table, or Catalyst::Authentication::Store::LDAP (plus a suitable
configuration on your LDAP server; some of them will allow you to do stupid
things like plaintext passwords, but we can't help that).
* If you have a user database that uses plain hashed passwords, start figuring
out how to change over to a proper method and how to force all of your users
to reset their passwords.
More information about the Catalyst