> How about we do a common password encryption strategy between > PropertiesUserManager and DbUserManager? Right now, > PropertiesUserManager does a simple MD5 on the password, but this is > not a good idea as it is not secure against lookup attacks. So, I'm > planning to rewrite it to use a stronger hashing algorithm (salt and > multiple hashing rounds). At the same time, it might make sense to do > the same for DbUserManager. Would that solve your issue? > > /niklas >
Not really since we are integrating our database with several other systems ( our hashing algorithm is not very secure either but the thing is that i have to use a 'predefined' algorithm). Any way it is true that configuration should be kept as simple as possible ... I would vote for an object that implements the new, more-robust encryption code, we would store the object in the UserManagers with a public setter so that the encryption method can be overriden by code. I'd say there's no need to have an interface for such a simple task.
