[Catalyst] Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Mark Blackman m.blackman at fairfx.com
Fri Apr 9 13:54:40 GMT 2010


On 9 Apr 2010, at 02:58, Evan Carroll wrote:

> I already patched this with a fix, it is on github and I've linked to
> it and posted it on rt. Janus told me he would give me maintenance to
> post it on CPAN, and he hasn't followed through yet. It fixes the
> problem by permitting you to pull in a non-static salt from the DB.

If you want a non-static salt, wouldn't you just use the 'salted_hash'
password type in your config?

I'd assume the whole point of the 'hashed' type is that you explictly
want a common but hidden salt value regardless of how undesirable that is.

As far as I can tell, the whole point of this patch is aimed at the 'hashed'
password case only (rather than 'salted_hash').

- Mark



More information about the Catalyst mailing list