[Catalyst] Outcome of the "Security issue with hashed passwords
in C:P:A:Password"?
Mark Blackman
m.blackman at fairfx.com
Fri Apr 9 13:54:40 GMT 2010
On 9 Apr 2010, at 02:58, Evan Carroll wrote:
> I already patched this with a fix, it is on github and I've linked to
> it and posted it on rt. Janus told me he would give me maintenance to
> post it on CPAN, and he hasn't followed through yet. It fixes the
> problem by permitting you to pull in a non-static salt from the DB.
If you want a non-static salt, wouldn't you just use the 'salted_hash'
password type in your config?
I'd assume the whole point of the 'hashed' type is that you explictly
want a common but hidden salt value regardless of how undesirable that is.
As far as I can tell, the whole point of this patch is aimed at the 'hashed'
password case only (rather than 'salted_hash').
- Mark
More information about the Catalyst
mailing list