Hi,
i had the same question since i have deployed Spark & OpenFire in our Company with the ability to logon via LDAP.
What i have discovered is that there is at least one security flaw because of some static/public known encryption key.
See this Links:
Spark/Encryptor.java at master · igniterealtime/Spark · GitHub ( privatestaticString secretKey ="ugfpV1dMC5jyJtqwVAfTpHkxqJ0+E0ae" )
1. Decrypting Spark Saved Passwords - Adam Caudill (worked for my Spark Version 2.6.3)
I just stumbled onto this today, i think maybe i can circumvent this by compiling my own Spark binary (dunno, me is neewb).
Cya guys, btw spark rocks ! =)