[Esapi-user] Using account name as salt

Luke Biddell luke.biddell at gmail.com
Fri May 6 10:05:37 EDT 2011


In FileBasedAuthenticator you use the accountName as salt for the
user's password. Is this a sensible thing to do in a production
environment?

I've always thought the salt should be something unique to the user and private?

I'm using 2.0 rc10 from maven so perhaps this has changed in never rcs
after the NSA review.

Thanks for any help

Luke


More information about the Esapi-user mailing list