[Catalyst] Re: Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Toby Corkindale toby.corkindale at strategicdata.com.au
Fri Apr 9 01:12:24 GMT 2010 

On 08/04/10 22:49, Daniel Pittman wrote:
> Toby Corkindale<toby.corkindale at strategicdata.com.au>  writes:
>> On 08/04/10 16:21, Andrew Rodland wrote:
>>>>     * In what circumstances was an attack possible?
>>>>       ie. What combination of modules, options, auth methods.
>>>
>>> * You use Catalyst::Authentication::Credential::Password.
>>> * With the "hashed" password_type.
>>> * And your database is compromised.
>>
>> I'd like to follow up that last point, regarding the DB being compromised.
>> Is that definitely a requirement for the vulnerability?
>
> Unless you are passing the hashed passwords around as authentication tokens,
> yes.  Plus, at that point you have already lost.
>
>> I ask because, in many cases, if your DB is compromised, then the horse has
>> already bolted.
>>
>> I understand that isn't the case for everyone, such as payment processors,
>> online shops, etc. where actions can be carried out by logged in users that
>> cause external effects.. but in some cases, the database IS the website, and
>> if you've stolen it, then there's no point logging in as another user
>> artificially.
>
> ...but your lost database *also* exposed user account/password pairs, which
> can now be tried against other services, since people usually use the same
> weak password and username all over the place.

.. if they are using sufficiently weak passwords, such that they're 
present in a rainbow table? (Or do such rainbow tables contain every 
single possible SHA-1 value, ie. from random-looking strings that happen 
to correspond to the same sha-1 as the actual password?)


>> From the app-dev perspective, though, you already lost. :)
>
>> But, yes, it's still worth looking into fixing then I think.
>
> *nod*  Unix did, decades back, for much the same reasons other people have
> given here.
>          Daniel

Although Unix had the problem that the /etc/passwd file was visible to 
all users on the machine, prior to the introduction of the shadowed 
version, and thus anyone could try and brute-force the password hashes.

In most (all) websites today, the authentication database is not 
user-visible.

More information about the Catalyst mailing list