[Catalyst] Re: Outcome of the "Security issue with hashed
passwords in C:P:A:Password"?
Toby Corkindale
toby.corkindale at strategicdata.com.au
Fri Apr 9 01:12:24 GMT 2010
On 08/04/10 22:49, Daniel Pittman wrote:
> Toby Corkindale<toby.corkindale at strategicdata.com.au> writes:
>> On 08/04/10 16:21, Andrew Rodland wrote:
>>>> * In what circumstances was an attack possible?
>>>> ie. What combination of modules, options, auth methods.
>>>
>>> * You use Catalyst::Authentication::Credential::Password.
>>> * With the "hashed" password_type.
>>> * And your database is compromised.
>>
>> I'd like to follow up that last point, regarding the DB being compromised.
>> Is that definitely a requirement for the vulnerability?
>
> Unless you are passing the hashed passwords around as authentication tokens,
> yes. Plus, at that point you have already lost.
>
>> I ask because, in many cases, if your DB is compromised, then the horse has
>> already bolted.
>>
>> I understand that isn't the case for everyone, such as payment processors,
>> online shops, etc. where actions can be carried out by logged in users that
>> cause external effects.. but in some cases, the database IS the website, and
>> if you've stolen it, then there's no point logging in as another user
>> artificially.
>
> ...but your lost database *also* exposed user account/password pairs, which
> can now be tried against other services, since people usually use the same
> weak password and username all over the place.
.. if they are using sufficiently weak passwords, such that they're
present in a rainbow table? (Or do such rainbow tables contain every
single possible SHA-1 value, ie. from random-looking strings that happen
to correspond to the same sha-1 as the actual password?)
>> From the app-dev perspective, though, you already lost. :)
>
>> But, yes, it's still worth looking into fixing then I think.
>
> *nod* Unix did, decades back, for much the same reasons other people have
> given here.
> Daniel
Although Unix had the problem that the /etc/passwd file was visible to
all users on the machine, prior to the introduction of the shadowed
version, and thus anyone could try and brute-force the password hashes.
In most (all) websites today, the authentication database is not
user-visible.
More information about the Catalyst
mailing list