[Catalyst] Re: Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Daniel Pittman daniel at rimspace.net
Thu Apr 8 12:49:58 GMT 2010

Toby Corkindale <toby.corkindale at strategicdata.com.au> writes:
> On 08/04/10 16:21, Andrew Rodland wrote:
>>>    * In what circumstances was an attack possible?
>>>      ie. What combination of modules, options, auth methods.
>> * You use Catalyst::Authentication::Credential::Password.
>> * With the "hashed" password_type.
>> * And your database is compromised.
> I'd like to follow up that last point, regarding the DB being compromised.
> Is that definitely a requirement for the vulnerability?

Unless you are passing the hashed passwords around as authentication tokens,
yes.  Plus, at that point you have already lost.

> I ask because, in many cases, if your DB is compromised, then the horse has
> already bolted.
> I understand that isn't the case for everyone, such as payment processors,
> online shops, etc. where actions can be carried out by logged in users that
> cause external effects.. but in some cases, the database IS the website, and
> if you've stolen it, then there's no point logging in as another user
> artificially.

...but your lost database *also* exposed user account/password pairs, which
can now be tried against other services, since people usually use the same
weak password and username all over the place.

>From the app-dev perspective, though, you already lost. :)

> But, yes, it's still worth looking into fixing then I think.

*nod*  Unix did, decades back, for much the same reasons other people have
given here.

✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

More information about the Catalyst mailing list