How is Catalyst storing my password salts??

falseazure has asked for the wisdom of the Perl Monks concerning the following question:

Greetings, Monks!

I'm using Catalyst::Plugin::Authentication to salt my users' passwords with a 10-digit salt, then hash them with SHA-256. From what I understand, this means 10 extra characters are appended to the end of each user-entered password and then the password+salt string is run through the SHA-256 digest, and the output of that is stored in the database password field.

It works, but I don't get how. After reading a bunch of docs (Catalyst::Manual::Tutorial::05_Authentication, Catalyst::Plugin::Authentication, DBIx::Class::EncodedColumn, DBIx::Class::EncodedColumn::Digest) I still can't figure out how the hashes in the database are correctly reproduced when a user re-enters their password later.

Because where are the salts stored? Or how are they regenerated? Or am I not getting something fundamental about how salting/hashing works?

Thanks!

Comment on How is Catalyst storing my password salts??

Replies are listed 'Best First'.
Re: How is Catalyst storing my password salts?? by Corion (Patriarch) on Feb 01, 2011 at 07:57 UTC
You haven't said whether you use the `salted_hash` option or not. This bug report claims that the password salt for the "normal" hash implementation is stored in a config file or passed in via the constructor.	[reply] [d/l]
Re^2: How is Catalyst storing my password salts?? by falseazure (Acolyte) on Feb 02, 2011 at 06:28 UTC
Thanks this is helpful. It mentions a couple of options to look into. I was not using and had not heard of salted_hash but I will look into it. Someone in the bug report thread said it uses Crypt::SaltedHash which creates a salt for each user from a function of the username, which makes sense to me. Or I might check out this bcrypt from Authen::Passphrase.	[reply]
Re: How is Catalyst storing my password salts?? by moritz (Cardinal) on Feb 01, 2011 at 07:53 UTC
I don't know how Catalyst does it, but it's common to store the salt together with the hash, separated by a special character. For example in /etc/shadow on linux, salt and hash are separated by $. Perl 6 - second systems done right	[reply]