[ https://issues.jboss.org/browse/ELY-1189?page=com.atlassian.jira.plugin.s... ] Peter Skopek commented on ELY-1189: ----------------------------------- zregvart commented on 11 Jan Good discussion guys, let me just jump in with a little tidbit, even though RFC2898 defines PBKDF1, there is clear wording on not actually using it (Section 5[1]). My point being that PBE algorithms that do not need persistence of IV would only be deprecated ones (SHA1/RC4 and MD5/DES) that are still using PBKDF1 mode. So it might make sense to include IV in the MaskedPassword by default. [1] https://tools.ietf.org/html/rfc2898#section-5 -- This message was sent by Atlassian JIRA (v7.2.3#72005)