[Catalyst] Outcome of the "Security issue with hashed passwords
in C:P:A:Password"?
Andrew Rodland
andrew at cleverdomain.org
Sat Apr 10 22:37:00 GMT 2010
On Saturday 10 April 2010 11:21:27 am Evan Carroll wrote:
> Also, I should point out that Crypt::SaltedHash permits the same
> stupid idea of a static, non-random salt set up in the constructor.
> This makes it slightly more fishy: why would you ever want to use this
> module to do what I just did without it?
>
> # salt: You can specify your on salt. You can either specify it as a
> sequence of charactres or as a hex encoded string of the form
> "HEX{...}". If the argument is missing, a random seed is provided for
> you (recommended).
That's not why that argument exists, that's not how it gets used, and that's
not how C::A::Cred::Password uses it. If you'd thought for half a second, it
might have occurred to you that that calling convention actually exists to
support exactly what you're asking for -- storing the hash and salt separately
for some bizarre reason despite that each is entirely useless without the
other.
More information about the Catalyst
mailing list