[
https://issues.apache.org/jira/browse/DIRSERVER-1088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12626247#action_12626247
]
Alex Karasulu commented on DIRSERVER-1088:
------------------------------------------
Didn't you fix this Em?
> Do not cache plain text passwords in credential cache or in LdapPrincipal
> -------------------------------------------------------------------------
>
> Key: DIRSERVER-1088
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1088
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: core
> Affects Versions: 1.5.1, 1.5.0
> Reporter: Alex Karasulu
> Fix For: 1.5.4
>
>
> It's really not a good idea to cache plain text passwords in memory which can
> easily be comprimised with memory readers to enable password theft. The best
> thing to do here in the short term is to disable caching if the password is
> plaintext.
> If caching is still desired then a temp key generated at startup can be used
> to encrypt and decrypt plain text password when put into memory. Perhaps
> this is the best option which still keeps performance.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
