Passwords are stored in plaintext

[atoponce]

Passwords should be hashed before storing to disk. If the account database is leaked online, account credentials would be in the clear. Using a strong password hashing function (not general cryptographic hashing functions like MD5, SHA-1, SHA-256,512, etc.) like bcrypt will ensure that the password cracker needs to spend significant amounts of CPU brute forcing the hashes to discover the passwords.

Alternatively, you could use the scrypt PBKDF as a password hashing function, which also requires memory hardness in addition to CPU hardness like bcrypt.

Libraries exist in Java for both bcrypt and scrypt:

http://www.mindrot.org/projects/jBCrypt/ https://github.com/FauxFaux/scrypt

[eapache]

Stored passwords should also be salted to prevent precomputation attacks.

[atoponce]

If using bcrypt or scrypt, this is handled transparently as part of the algorithm.

[eapache]

That's nice of them, didn't realize that.

[atoponce]

If the implementation does support automatically creating the salt, then of course create one. I guess it all depends on the implementation.

[chaitu236]

Password encryption implemented by 5c86865a4de343c0a56dcecbc2fe8a3052f0b246