> I'll still chase this up tonight so that we're all clear if there is a > potential (but very limited) issue or not :)
The issue here is the implementation of salt gives you a false sense of security. If you aren't worried about rainbow attacks simply don't use salt at all. It should be noted that any global salt will at least lessen the chance of unsalted rainbow tables from being used (such as those downloaded from torrents), but this is marginal. With that said, I've got the rewritten, moosified, copy up with doc patches, passing tests, and a working implementation of password_pre_salt_field, and password_post_salt_field, you can find it at: http://github.com/EvanCarroll/Catalyst-Plugin-Authentication/blob/master/lib/Catalyst/Authentication/Credential/Password.pm -- Evan Carroll System Lord of the Internets http://www.evancarroll.com _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
