[Catalyst] Outcome of the "Security issue with hashed passwords in C:P:A:Password"?

Wade Stuart wbs at grepit.net
Mon Apr 12 19:32:12 GMT 2010

On Sun, Apr 11, 2010 at 1:08 PM, Evan Carroll <lists at evancarroll.com> wrote:

> On Sun, Apr 11, 2010 at 12:31 AM, Andrew Rodland
> <andrew at cleverdomain.org> wrote:
> > Please, make some more public insults.

Guys,  just fix or don't fix the broken or not broken problem and stop the
crappy-crap-crap line noise.  IMHO,  with 19 years of experiance under my
belt, "hashed passowrds" use a plaintext random salt pre or post concat
(usually pre, so it is an easy and cheap index) with hash as a standard and
has been well before sha or md5 (think lessons learned before crypt).  In my
mind,  if that is not the default behavior anytime you expose the word
"hashed" along with "password" there had better be a very loud callout in

I don't know what the fix is -- it seems like doc or code would work.


> With love,
> --
> Evan Carroll
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20100412/befe2=

More information about the Catalyst mailing list