Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI-Application-Plugin-Authentication CPAN distribution.

Report information
The Basics
Id:
16635
Status:
stalled
Priority:
Low/Low

People
Owner:
SILASMONK [...] cpan.org
Requestors:
mrperson [...] cpan.org
Cc:
AdminCc:

BugTracker
Severity:
Wishlist
Broken in:
0.07
Fixed in:
(no value)



Subject: MD5 and SHA1 routines should use salt
When using MD5 or SHA1 to hash a password, a salt value should be used to prevent an easy dictionary attack against the stored passwords. There's a good article at http://aspnet.4guysfromrolla.com/articles/112002-1.aspx that explains why hashing is needed. Crypt::PasswdMD5 is an example of a Perl module that uses this technique.
Chris, I hear you on this one. I have been looking into it and I can see two problems: 1.) The more complicated the password creation scheme is, the more important it becomes that the module offer a way to manage the passwords in accordance with that scheme. As far as I can see at the moment the module is not doing that. 2.) The current Driver::DBI code does not really offer it. When I have addressed the above two issues I would be able to look at this again. In the meantime there is nothing stopping you from writing your own driver to implement this based upon the DBI driver.


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.