[Catalyst] Security issue with hashed passwords in C:P:A:Password
Evan Carroll
lists at evancarroll.com
Tue Mar 23 20:17:17 GMT 2010
https://rt.cpan.org/Ticket/Display.html?id=55850&results=a52c3c931cac70fddd2e1926e2f4280a
The purpose of salt is to reduce the ability for a single (pre-calculated)
rainbow table of passwords and hashes to compromise the whole store. If
your salt isn't a random function, or specific to the user there is no
benefit in the salt...
This is broken implementation. Hard coding salt in a config file only
protects you from a rainbow table without that salt. It still doesn't
solve the problem of cached hashings.
--
Evan Carroll
System Lord of the Internets
http://www.evancarroll.com
More information about the Catalyst
mailing list