[Catalyst] Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Evan Carroll lists at evancarroll.com
Sun Apr 11 05:01:51 GMT 2010

On Sat, Apr 10, 2010 at 5:37 PM, Andrew Rodland <andrew at cleverdomain.org> wrote:
> That's not why that argument exists, that's not how it gets used, and that's
> not how C::A::Cred::Password uses it. If you'd thought for half a second, it
> might have occurred to you that that calling convention actually exists to
> support exactly what you're asking for -- storing the hash and salt separately
> for some bizarre reason despite that each is entirely useless without the
> other.

That documentation wasn't from C:A:Cred:Password, it was from
Crypt::SH. And, I'm not sure why you would want to use that module IF
you're doing things my way (please read previous post). With that
said, I'd assume you're right, and that is what the intention is; but,
it certainly doesn't seem to make the task at hand any more simple.
I'm really only siding with you, because the alternative is to remove
the benefit of doubt and assume that the intention was to permit a
static salt for all applications of Crypt:SH.

Storing things seperate is a bad thing? It actually 1NF.

I gave you the "bizarre reason" for my doing this: you've chosen not
to address it on the merits. I've also though for half a second: and,
Andrew, I think you should stop responding to my posts. Your inability
to behave in a civil fashion is annoying and unbecoming. And, to boot
every time you've addressed me on these threads *you've* been wrong.

With love,

Evan Carroll
System Lord of the Internets

More information about the Catalyst mailing list