[Catalyst] Security issue with hashed passwords in C:P:A:Password

J. Shirley jshirley at gmail.com
Wed Mar 24 18:33:19 GMT 2010

On Wed, Mar 24, 2010 at 11:13 AM, Evan Carroll <lists at evancarroll.com> wrote:
>> It would be if anything you said were true; fortunately it's not, and both
>> available methods of doing salted passwords with
>> Catalyst::Plugin::Authentication do salt entirely the correct way.
>> Your unncecessary and condescending lectures are, however, greatly appreciated
>> as usual.
> While you're probably doubting your whole statement about salts being
> implemented "entirely the correct way," I just wanted to indulge you
> with one more lecture. I feel the need to call you out and cross-post
> your repsonse on rt for the historical mailing-list record:
>    I have no idea what distribution you intended to file this bug against,
>    but it's obviously not the one you *did* file against, which does
>    nothing even vaguely resembling reading salt from a config file.
> To which I responded:
>    http://search.cpan.org/src/FLORA/Catalyst-Plugin-Authentication-
>    0.10016/lib/Catalyst/Authentication/Credential/Password.pm
>    I think I've got the right one...
>    P.S. stop being an asshole, thanks.
> along with the code:
>    Just to save some insincere discourse and further boring name calling:
>    $d->add( $self->_config->{'password_pre_salt'} || '' );
>    $d->add($password);
>    $d->add( $self->_config->{'password_post_salt'} || '' );
> I have a disconnect sometimes when I see "Andrew Rodland," instead of
> "hobbs" but your unwavering hostility is certainly noticed. Rather
> than give the bug report a fair evaluation you deny it without reason.
> Like most religions, yours has an convenient indicator: "if anything
> you said were true; fortunately it's not." Good, concise illogical ad
> hominum not grounded in reality, and totally without merit as to the
> bug report.

While my opinion of you is not favorable, I do believe that we should
always look at reports without seeing who filed them and react

In this case, though, the 'salted_hash' option defers all salting to

The option for 'hashed' does what you are talking about, and the
documentation clearly lists the differences here.

I'm more of the mind that this is a non-issue, but could easily lead
people astray into doing something that they do not want to do.  If
there is a problem with the way the salts are handled, that would be a
problem in Crypt::SaltedHash.

Your bug report does seem to imply it would be a problem with
Crypt::SaltedHash, though, which is why without a more thorough
glance, you look like you are wholly mistaken.


More information about the Catalyst mailing list