Remove PlaintextPasswordHash from API?


Will Hopkins
 

EG:

I'm thinking we should probably remove this from the API. It's trivial for someone to implement if they need to (we could retain the Impl in the RI), but nobody should ever use this in a production setting. It should not be used even for a legacy environment -- if the plaintext for a password is known, it can be converted to a hashed format. Given the frequency with which hackers are able to get access to password databases, storing plaintext hashes constitutes security malpractice and borders on criminal negligence.

Any objections?

Will
-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

Join javaee-security-spec@javaee.groups.io to automatically receive all group messages.