|Don't ask to ask, just ask|
[SOLVED][blogs.perl.org credential release] How can I check the password that I used on blogs.perl.orgby three18ti (Scribe)
|on Jan 23, 2014 at 11:36 UTC||Need Help??|
three18ti has asked for the
wisdom of the Perl Monks concerning the following question:
I apparently signed up for blogs.perl.org some time ago, and I have no idea what password I used. With the leak of my credentials (unfortunately my username is on the list) I would like to verify what password I used.
Since the crypt function is a one way hash function, I was going to "crypt" my standard passwords, but I'm having trouble identifying where the SALT value comes from.
Full disclosure, I tried to ask on irc.freenode.net #perl and was told to RTFS, (even though I had been), and when I tried to ask questions about the source (because frankly the begin block below makes no sense to me... it looks like it's modifying the symbol table directly, but to what end?) I was told again to RTFS.
I'm hoping against all hope that you are nicer than the people on irc, because frankly I'm a bit hot under the collar right now (and I now understand all the gripes about how shitty people in the Perl community are... having never experienced it for myself). (I get that people on irc and here are volunteering their time, but that's no reason to be rude about it. Besides this is a serious breach of security and I'd just like a _little_ help to gain a piece of mind. I don't _usually_ reuse passwords, but again, I have no idea what password I used on blogs.perl.org).
Anyway, I digress, from the Movable Type docs:
The documentation for is_valid_password in MT::Auth is very similar:
This says to me that the function is_valid_password somehow "magically" knows the SALT, but I don't understand HOW is_valid_password is getting that salt value, it's not being passed in as a parameter...
It looks to me that the salt value is a randomly generated two character salt:
It looks like MT::Author::is_valid_password is just a proxy for MT::Auth::is_valid_password, as it just calls MT::Auth::is_valid_password with the parameters passed to it:
Here's where I really don't understand, MT::Auth::is_valid_password doesn't seem to be defined, but in MT::Auth it looks like we're modifying the symbol table directly:
(It was when I asked for help understanding the above block of code that I was told I should RTFS for the second time).
My guess is that this code is shifting of the obj reference (since the object is passed as the first parameter when calling an object method), then passing the rest of the parameters to _handle. The following block is a block inside of main, so $auth_module is "cached" so _driver doesn't have to be called on every invocation. It seems like _driver is just instantiating an object of MT::Auth::$SOMETHING (my best guess is BasicAuth in this case), but then _handle is calling $method on some $object. (but if $method is is_valid_password then it can't do that because MT::Auth::BasicAuth doesn't define an "is_valid_password")
This is wrinkling my brain. What is going on here?
I am curious as to what is going on here, I'm always looking for strategies to improve my code, but that is extremely low priority in comparison to verifying what password was leaked.
I asked the same question on reddit but /r/perl is not nearly as active as perlmonks.
Thanks for any assistance.
This appears to be the is_valid_password in MT::Auth::MT, my guess that we'd be using MT::Auth::BasicAuth is incorrect (I think)
Many thanks to Corion and Anonymous Monk for their assistance with this one