David Crocker wrote: >I'm by no means an expert in the field of security and Java, but I believe that >the usual technique is to encode the password that the user types using a 1-way >hashing algorithm, then store (and hide/protect) the encoded version and use >that as the password. If an attacker manages to read the password hash, he still >has to construct a password that will encode to the same value.
At issue is not the mechanical method of storing the password; it is the fundamental insecurity of storing a password such that an automated process may recover/use said password. If an automated process can recover the password, chances are very good an attacker can, and no cryptographical algorithim will solve that issue. The system is weak, not the individual components. Cheers, Chris
