[Catalyst] Security issue with hashed passwords in C:P:A:Password

J. Shirley jshirley at gmail.com
Wed Mar 24 18:33:19 GMT 2010


On Wed, Mar 24, 2010 at 11:13 AM, Evan Carroll <lists at evancarroll.com> wrote:
>> It would be if anything you said were true; fortunately it's not, and both
>> available methods of doing salted passwords with
>> Catalyst::Plugin::Authentication do salt entirely the correct way.
>>
>> Your unncecessary and condescending lectures are, however, greatly appreciated
>> as usual.
>
> While you're probably doubting your whole statement about salts being
> implemented "entirely the correct way," I just wanted to indulge you
> with one more lecture. I feel the need to call you out and cross-post
> your repsonse on rt for the historical mailing-list record:
>
>    I have no idea what distribution you intended to file this bug against,
>    but it's obviously not the one you *did* file against, which does
>    nothing even vaguely resembling reading salt from a config file.
>
> To which I responded:
>
>    http://search.cpan.org/src/FLORA/Catalyst-Plugin-Authentication-
>    0.10016/lib/Catalyst/Authentication/Credential/Password.pm
>
>    I think I've got the right one...
>
>    P.S. stop being an asshole, thanks.
>
> along with the code:
>
>    Just to save some insincere discourse and further boring name calling:
>
>    $d->add( $self->_config->{'password_pre_salt'} || '' );
>    $d->add($password);
>    $d->add( $self->_config->{'password_post_salt'} || '' );
>
> I have a disconnect sometimes when I see "Andrew Rodland," instead of
> "hobbs" but your unwavering hostility is certainly noticed. Rather
> than give the bug report a fair evaluation you deny it without reason.
> Like most religions, yours has an convenient indicator: "if anything
> you said were true; fortunately it's not." Good, concise illogical ad
> hominum not grounded in reality, and totally without merit as to the
> bug report.
>


While my opinion of you is not favorable, I do believe that we should
always look at reports without seeing who filed them and react
accordingly.

In this case, though, the 'salted_hash' option defers all salting to
Crypt::SaltedHash.

The option for 'hashed' does what you are talking about, and the
documentation clearly lists the differences here.

I'm more of the mind that this is a non-issue, but could easily lead
people astray into doing something that they do not want to do.  If
there is a problem with the way the salts are handled, that would be a
problem in Crypt::SaltedHash.

Your bug report does seem to imply it would be a problem with
Crypt::SaltedHash, though, which is why without a more thorough
glance, you look like you are wholly mistaken.

-J



More information about the Catalyst mailing list