Re: Remove PlaintextPasswordHash from API?

Ivar Grimstad

No objections here.


On Wed, Jul 26, 2017 at 8:08 PM Will Hopkins <will.hopkins@...> wrote:

I'm thinking we should probably remove this from the API. It's trivial for someone to implement if they need to (we could retain the Impl in the RI), but nobody should ever use this in a production setting. It should not be used even for a legacy environment -- if the plaintext for a password is known, it can be converted to a hashed format. Given the frequency with which hackers are able to get access to password databases, storing plaintext hashes constitutes security malpractice and borders on criminal negligence.

Any objections?

Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803


Java Champion, JCP EC/EG Member, JUG Leader

Join to automatically receive all group messages.