> On Apr 24, 2015, at 9:05 AM, Emmanuel Lécharny <[email protected]> wrote: > > But an base-64 representation of a char[] (or even better, byte[], > assuming the password is UTF-8 encoded) is most certainly better, from a > security POV. > > Also considering that what you are using are pure ascii chars, that will > not be appropriate for around 4/5 of the world, such a modification > could be valuable. > > As a matter of fact, passwords in LDIF are generally stored already > hashed, ie as byte[], because whatever representation you use (being a > String or a char[]), this is already fully vulnerable... > > IMO, there is something wrong in this area...
Agreed. I’ll open a ticket and we’ll go from there. Thanks Shawn [email protected]
