[Catalyst] Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Andrew Rodland andrew at cleverdomain.org
Sat Apr 10 22:37:00 GMT 2010


On Saturday 10 April 2010 11:21:27 am Evan Carroll wrote:

> Also, I should point out that Crypt::SaltedHash permits the same
> stupid idea of a static, non-random salt set up in the constructor.
> This makes it slightly more fishy: why would you ever want to use this
> module to do what I just did without it?
> 
> # salt: You can specify your on salt. You can either specify it as a
> sequence of charactres or as a hex encoded string of the form
> "HEX{...}". If the argument is missing, a random seed is provided for
> you (recommended).

That's not why that argument exists, that's not how it gets used, and that's 
not how C::A::Cred::Password uses it. If you'd thought for half a second, it 
might have occurred to you that that calling convention actually exists to 
support exactly what you're asking for -- storing the hash and salt separately 
for some bizarre reason despite that each is entirely useless without the 
other.



More information about the Catalyst mailing list