David Crocker wrote:
> I'm by no means an expert in the field of security and Java, but I believe
> that
> the usual technique is to encode the password that the user types using a
> 1-way
> hashing algorithm, then store (and hide/protect) the encoded version and use
> that as the password. If an attacker manages to read the password hash, he
> still
> has to construct a password that will encode to the same value.
That only works if you're the "server", or more accurately, the process
that needs to verify the password. If you're the "client", or the
process that needs to supply the password, that doesn't help you.
Ryan
