[Catalyst] Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Evan Carroll lists at evancarroll.com
Sat Apr 10 16:21:27 GMT 2010

> Why would you want the complexity of storing them separately when you could do
> it the way every other system on the planet does it? Why would you add
> duplicate functionality that's inferior to what it duplicates?

The crypt method might be popular in some applications and in some
libraries; but, it looks to be more code here, and more complexity.

How do you use the crypt message in Bash? How do you, from your DB,
use the crypt method? How would you interface PHP or some other
horridly crappy language into this? Just the work of finding a
respective crypt module looks worse then this:

     use Digest::SHA qw(sha1_hex)
     sha1_hex( input.password . row.salt ) eq row.salthash

     vs, what?

     use Crypt::SaltedHash;
     my $csh = Crypt::SaltedHash->new('algorithm' => 'SHA-1' );
     $csv->validate( row.salthash, input.password, 4 );

Using my method, all I need is a sha1 hash function. This isn't the
best hash, but it works fairly well.

Also, I should point out that Crypt::SaltedHash permits the same
stupid idea of a static, non-random salt set up in the constructor.
This makes it slightly more fishy: why would you ever want to use this
module to do what I just did without it?

# salt: You can specify your on salt. You can either specify it as a
sequence of charactres or as a hex encoded string of the form
"HEX{...}". If the argument is missing, a random seed is provided for
you (recommended).

Evan Carroll
System Lord of the Internets

More information about the Catalyst mailing list