I'm not sure how you could recover the password in plaintext, as it is hash-ed along with other attributes. As Jack has mentioned, the most clever attack on the most secure hash algorithm we have available today (SHA-1) would take ~ 2^63 steps to find a collision, which is barely feasible. Now I don't have to steal the password to gain access. Just equally effectively, I just need to gain access to the cookie with cross-site scripting to gain access. Maybe then you can add an additional IP address attribute to the hash content as a precautionary measure. However, this approach fails if the malicious attacker is on the same network that you are on. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018219#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...