Bug #16635 for CGI-Application-Plugin-Authentication: MD5 and SHA1 routines should use salt

RT for rt.cpan.org

This queue is for tickets about the CGI-Application-Plugin-Authentication CPAN distribution.

Report information

The Basics

Id:	16635
Status:	stalled
Priority:	8/
Queue:	CGI-Application-Plugin-Authentication

People

Owner:	SILASMONK [...] cpan.org
Requestors:	mrperson [...] cpan.org
Cc:
AdminCc:

Bug Information

Severity:	Wishlist
Broken in:	0.07
Fixed in:	(no value)

History Show all quoted text

Tue Dec 20 13:40:40 2005 mrperson [...] cpan.org - Ticket created

Subject:

MD5 and SHA1 routines should use salt

When using MD5 or SHA1 to hash a password, a salt value should be used to prevent an easy dictionary attack against the stored passwords. There's a good article at http://aspnet.4guysfromrolla.com/articles/112002-1.aspx that explains why hashing is needed. Crypt::PasswdMD5 is an example of a Perl module that uses this technique.

Tue Jan 19 08:25:39 2010 SILASMONK [...] cpan.org - Taken

Tue Jan 19 08:26:20 2010 SILASMONK [...] cpan.org - Priority changed from (no value) to '8'

Fri Feb 05 10:13:49 2010 SILASMONK [...] cpan.org - Status changed from 'new' to 'open'

Sun Feb 21 12:42:58 2010 SILASMONK [...] cpan.org - Correspondence added

Chris, I hear you on this one. I have been looking into it and I can see two problems: 1.) The more complicated the password creation scheme is, the more important it becomes that the module offer a way to manage the passwords in accordance with that scheme. As far as I can see at the moment the module is not doing that. 2.) The current Driver::DBI code does not really offer it. When I have addressed the above two issues I would be able to look at this again. In the meantime there is nothing stopping you from writing your own driver to implement this based upon the DBI driver.

Sun Feb 21 12:43:38 2010 SILASMONK [...] cpan.org - Status changed from 'open' to 'stalled'