[Esapi-user] Using account name as salt

Luke Biddell luke.biddell at gmail.com
Fri May 6 10:05:37 EDT 2011

In FileBasedAuthenticator you use the accountName as salt for the
user's password. Is this a sensible thing to do in a production

I've always thought the salt should be something unique to the user and private?

I'm using 2.0 rc10 from maven so perhaps this has changed in never rcs
after the NSA review.

Thanks for any help


More information about the Esapi-user mailing list