[Catalyst] Security issue with hashed passwords in C:P:A:Password
Evan Carroll
lists at evancarroll.com
Wed Mar 24 18:13:08 GMT 2010
> It would be if anything you said were true; fortunately it's not, and both
> available methods of doing salted passwords with
> Catalyst::Plugin::Authentication do salt entirely the correct way.
>
> Your unncecessary and condescending lectures are, however, greatly appreciated
> as usual.
While you're probably doubting your whole statement about salts being
implemented "entirely the correct way," I just wanted to indulge you
with one more lecture. I feel the need to call you out and cross-post
your repsonse on rt for the historical mailing-list record:
I have no idea what distribution you intended to file this bug against,
but it's obviously not the one you *did* file against, which does
nothing even vaguely resembling reading salt from a config file.
To which I responded:
http://search.cpan.org/src/FLORA/Catalyst-Plugin-Authentication-
0.10016/lib/Catalyst/Authentication/Credential/Password.pm
I think I've got the right one...
P.S. stop being an asshole, thanks.
along with the code:
Just to save some insincere discourse and further boring name calling:
$d->add( $self->_config->{'password_pre_salt'} || '' );
$d->add($password);
$d->add( $self->_config->{'password_post_salt'} || '' );
I have a disconnect sometimes when I see "Andrew Rodland," instead of
"hobbs" but your unwavering hostility is certainly noticed. Rather
than give the bug report a fair evaluation you deny it without reason.
Like most religions, yours has an convenient indicator: "if anything
you said were true; fortunately it's not." Good, concise illogical ad
hominum not grounded in reality, and totally without merit as to the
bug report.
--
Evan Carroll
System Lord of the Internets
http://www.evancarroll.com
More information about the Catalyst
mailing list