That's correct. By the way, you can also configure the Derby server to only accept connections issued with a particular securityMechanism.
See 'derby.drda.securityMechanism' network server property in
David Van Couvering < email@example.com> writes:
> Hi, all. Someone asked me if things have changed around password
> encryption in 10.3 - is there some form of encryption by default, or
> is the default still to send the password in the clear? I scanned the
> "what's new" section of the release page but couldn't find anything
It is my understanding that you still need to add the securityMechanism
attribute to the connection URL in order to get password encryption.
Clear Text Password security is the default if you do not specify the
securityMechanism attribute and you specify both the user=userName and