Re: Remove PlaintextPasswordHash from API?


Ivar Grimstad
 

No objections here.

Ivar

On Wed, Jul 26, 2017 at 8:08 PM Will Hopkins <will.hopkins@...> wrote:
EG:

I'm thinking we should probably remove this from the API. It's trivial for someone to implement if they need to (we could retain the Impl in the RI), but nobody should ever use this in a production setting. It should not be used even for a legacy environment -- if the plaintext for a password is known, it can be converted to a hashed format. Given the frequency with which hackers are able to get access to password databases, storing plaintext hashes constitutes security malpractice and borders on criminal negligence.

Any objections?

Will
-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

--

Java Champion, JCP EC/EG Member, JUG Leader

Join javaee-security-spec@javaee.groups.io to automatically receive all group messages.