Re: [security-dev] SHA salted passwords

Actually, passwords are not stored in plain text by default. The PlainTextPassword is used to store both encoded and plain text passwords. Maybe we can change the API to better indicate whether you want to use encoded passwords or not. Something like this: Encoded : this.identityManager.updateCredential(user, new EncodedPassword(request.getPassword())); Plain Text: this.identityManager.updateCredential(user, new PlainTextPassword(request.getPassword())); Where for the EncodedPassword type you can specify the different configurations for the encoding such as supported algorithms, salt, etc. ----- Original Message ----- From: "Bruno Oliveira" <bruno(a)abstractj.org (mailto:bruno@abstractj.org)> To: security-dev(a)lists.jboss.org (mailto:security-dev@lists.jboss.org) Sent: Monday, January 7, 2013 7:49:58 AM Subject: [security-dev] SHA salted passwords Good morning everyone. I'm planning to upgrade AeroGear to PicketLink, looking at the examples looks like the passwords will be stored in plain text (https://github.com/picketlink/TODO/blob/master/server/src/main/java/org/a...). I was just wondering if ShaSaltedPasswordHash (https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/ja...) could replace PlainTextPassword in this example, because I don't want to provide examples to our users with passwords stored in plain text. Is it possible? -- "The measure of a man is what he does with power" - Plato - @abstractj - Volenti Nihil Difficile _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org (mailto:security-dev@lists.jboss.org) https://lists.jboss.org/mailman/listinfo/security-dev