[Catalyst] Security issue with hashed passwords in C:P:A:Password

Evan Carroll lists at evancarroll.com
Wed Mar 24 18:13:08 GMT 2010

> It would be if anything you said were true; fortunately it's not, and both
> available methods of doing salted passwords with
> Catalyst::Plugin::Authentication do salt entirely the correct way.
> Your unncecessary and condescending lectures are, however, greatly appreciated
> as usual.

While you're probably doubting your whole statement about salts being
implemented "entirely the correct way," I just wanted to indulge you
with one more lecture. I feel the need to call you out and cross-post
your repsonse on rt for the historical mailing-list record:

    I have no idea what distribution you intended to file this bug against,
    but it's obviously not the one you *did* file against, which does
    nothing even vaguely resembling reading salt from a config file.

To which I responded:


    I think I've got the right one...

    P.S. stop being an asshole, thanks.

along with the code:

    Just to save some insincere discourse and further boring name calling:

    $d->add( $self->_config->{'password_pre_salt'} || '' );
    $d->add( $self->_config->{'password_post_salt'} || '' );

I have a disconnect sometimes when I see "Andrew Rodland," instead of
"hobbs" but your unwavering hostility is certainly noticed. Rather
than give the bug report a fair evaluation you deny it without reason.
Like most religions, yours has an convenient indicator: "if anything
you said were true; fortunately it's not." Good, concise illogical ad
hominum not grounded in reality, and totally without merit as to the
bug report.

Evan Carroll
System Lord of the Internets

More information about the Catalyst mailing list