[Catalyst] Security issue with hashed passwords in C:P:A:Password

Evan Carroll lists at evancarroll.com
Tue Mar 23 20:17:17 GMT 2010


The purpose of salt is to reduce the ability for a single (pre-calculated)
rainbow table of passwords and hashes to compromise the whole store. If
your salt isn't a random function, or specific to the user there is no
benefit in the salt...

This is broken implementation. Hard coding salt in a config file only
protects you from a rainbow table without that salt. It still doesn't
solve the problem of cached hashings.

Evan Carroll
System Lord of the Internets

More information about the Catalyst mailing list