> String newPasswordHash = cryptoService.sha1(newPassword); Ouch. It's 2017. I k... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jrpelkonen on March 15, 2017 \| parent \| context \| favorite \| on: Zen and the Art of Unit Testing > String newPasswordHash = cryptoService.sha1(newPassword); Ouch. It's 2017. I know it's a blog about unit testing, but using SHA-1, let alone unsalted SHA-1, for password hashing even if for illustration purposes is dangerous.

mdaniel on March 15, 2017 [–]

At the risk of spitting into the wind, so is using String in Java for passwords; the actual password-centric interfaces in the JVM use char[] because one can zero-out those, but cannot zero-out immutable Strings

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact