[Catalyst] Re: Security issue with hashed passwords in
C:P:A:Password
Evan Carroll
lists at evancarroll.com
Wed Mar 24 06:21:10 GMT 2010
:re from rt
> So use salted_hash which uses Crypt::SaltedHash.
> Or, set the salt to a random value on each request.
I think you're missing something -- or I am. How do you propose to set
it to a different value on each request if if the salt is being read
from the configuration and not the call to authenticate? Should I modify
the global configuration of C:P:A from the Controller? That sounds
hackish. Moreover, the traditional method of salting is to store the
salt in the DB? If this is used, should I retrieve the salt with the
Authentication plugin's model? That would sound silly.
Crypt::SaltHash makes the salt a function of the username, I haven't
looked too much into the implementation but it certainly isn't the
normal method of salting -- though it most probably helps some level.
The obvious solution to this will be to have a `salt_field`, that when
filled out retrieves the salt from the userinfo. I'll see about a patch
tomorrow.
--
Evan Carroll
System Lord of the Internets
http://www.evancarroll.com
More information about the Catalyst
mailing list