On Tue, 17 May 2011 15:52:22 -0700 Sameer Farooqui <cassandral...@gmail.com> wrote:
SF> Would still be nice though to use the bcrypt hash over MD5 for stronger SF> security. I used MD5 when I proposed SimpleAuthenticator for two reasons: 1) SimpleAuthenticator is supposed to be a demo of the authentication interface. It can be used for testing and trivial setups, but I wouldn't use it in production. So it's meant to get you going easily, not to serve you long-term. 2) MD5 is built into Java. At the time, bcrypt and SHA-* were not. I used MD5 only so the passwords are not stored in the clear, not to provide production-level security. You should consider carefully the implications of storing passwords in a file on a database server, no matter how they are encrypted. It would be better to write a trivial AD/LDAP/etc. authenticator that fits your specific needs and doesn't rely on a local file. Ted
