[Catalyst] Security issue with hashed passwords in C:P:A:Password

Evan Carroll lists at evancarroll.com
Wed Mar 24 17:06:13 GMT 2010


> I'll still chase this up tonight so that we're all clear if there is a
> potential (but very limited) issue or not :)

The issue here is the implementation of salt gives you a false sense
of security. If you aren't worried about rainbow attacks simply don't
use salt at all. It should be noted that any global salt will at least
lessen the chance of unsalted rainbow tables from being used (such as
those downloaded from torrents), but this is marginal. With that said,
I've got the rewritten, moosified, copy up with doc patches, passing
tests, and a working implementation of password_pre_salt_field, and
password_post_salt_field, you can find it at:

http://github.com/EvanCarroll/Catalyst-Plugin-Authentication/blob/master/lib/Catalyst/Authentication/Credential/Password.pm

-- 
Evan Carroll
System Lord of the Internets
http://www.evancarroll.com



More information about the Catalyst mailing list