Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

How is Catalyst storing my password salts??

by falseazure (Acolyte)
on Feb 01, 2011 at 06:16 UTC ( [id://885412]=perlquestion: print w/replies, xml ) Need Help??

falseazure has asked for the wisdom of the Perl Monks concerning the following question:

Greetings, Monks!

I'm using Catalyst::Plugin::Authentication to salt my users' passwords with a 10-digit salt, then hash them with SHA-256. From what I understand, this means 10 extra characters are appended to the end of each user-entered password and then the password+salt string is run through the SHA-256 digest, and the output of that is stored in the database password field.

It works, but I don't get how. After reading a bunch of docs (Catalyst::Manual::Tutorial::05_Authentication, Catalyst::Plugin::Authentication, DBIx::Class::EncodedColumn, DBIx::Class::EncodedColumn::Digest) I still can't figure out how the hashes in the database are correctly reproduced when a user re-enters their password later.

Because where are the salts stored? Or how are they regenerated? Or am I not getting something fundamental about how salting/hashing works?

Thanks!

  • Comment on How is Catalyst storing my password salts??

Replies are listed 'Best First'.
Re: How is Catalyst storing my password salts??
by Corion (Patriarch) on Feb 01, 2011 at 07:57 UTC

    You haven't said whether you use the salted_hash option or not. This bug report claims that the password salt for the "normal" hash implementation is stored in a config file or passed in via the constructor.

[reply]
[d/l]
      Thanks this is helpful. It mentions a couple of options to look into. I was not using and had not heard of salted_hash but I will look into it. Someone in the bug report thread said it uses Crypt::SaltedHash which creates a salt for each user from a function of the username, which makes sense to me. Or I might check out this bcrypt from Authen::Passphrase.
[reply]
Re: How is Catalyst storing my password salts??
by moritz (Cardinal) on Feb 01, 2011 at 07:53 UTC
    I don't know how Catalyst does it, but it's common to store the salt together with the hash, separated by a special character. For example in /etc/shadow on linux, salt and hash are separated by $.
    Perl 6 - second systems done right
[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://885412]
Approved by ikegami
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (1)
As of 2024-04-25 12:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found