...
In both the setPassword() and checkPassword() methods, the cleartext representation of the password is erased immediately after it has been converted into a hash value. Consequently, an attacker cannot get the password as cleartext after the erasure.
Exceptions
MSC18MSC04-EX0: Applications such as password managers may need to retrieve the original password in order to enter it into a third-party application. This is permitted, even though it violates the rule. The password manager is accessed by a single user and always has the user's permission to store their passwords and to display those passwords on command. As a result, provided the user is competent, the program's operation will be safe.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC05 MSC04-J | medium | likely | high | P6 | L2 |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ed45f8a38ce049a9-01b9ab3b-444f4e6a-92848486-6a0c7bde0421fd92251e4948"><ac:plain-text-body><![CDATA[ | [SD:[API 2006 | AA. Bibliography#API 06]] | Class | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="db34032905baf019-afe6c937-4f05420f-ae298d69-bc1cfbfe999ca5f174975e8c"><ac:plain-text-body><![CDATA[ | [SD:[API 2006 | AA. Bibliography#API 06]] | Class | ]]></ac:plain-text-body></ac:structured-macro> |
Passwords never in clear text | ||||
Salt (cryptography) | ||||
Cryptographic hash function | ||||
|
...