[Catalyst] Re: Security issue with hashed passwords in C:P:A:Password

Evan Carroll lists at evancarroll.com
Wed Mar 24 06:21:10 GMT 2010

:re from rt

> So use salted_hash which uses Crypt::SaltedHash.
> Or, set the salt to a random value on each request.

I think you're missing something -- or I am. How do you propose to set
it to a different value on each request if if the salt is being read
from the configuration and not the call to authenticate? Should I modify
the global configuration of C:P:A from the Controller? That sounds
hackish. Moreover, the traditional method of salting is to store the
salt in the DB? If this is used, should I retrieve the salt with the
Authentication plugin's model? That would sound silly.

Crypt::SaltHash makes the salt a function of the username, I haven't
looked too much into the implementation but it certainly isn't the
normal method of salting -- though it most probably helps some level.

The obvious solution to this will be to have a `salt_field`, that when
filled out retrieves the salt from the userinfo. I'll see about a patch

Evan Carroll
System Lord of the Internets

More information about the Catalyst mailing list