That's correct. By the way, you can also configure the Derby server to only accept connections issued with a particular securityMechanism.
See 'derby.drda.securityMechanism' network server property in
http://db.apache.org/derby/docs/dev/adminguide/adminguide-single.html#tadminconfigsettingnetwrokserverproperties

On 8/21/07, Knut Anders Hatlen < Knut.Hatlen@sun.com> wrote:
David Van Couvering < david@vancouvering.com> writes:

> Hi, all.  Someone asked me if things have changed around password
> encryption in 10.3 - is there some form of encryption by default, or
> is the default still to send the password in the clear?  I scanned the
> "what's new" section of the release page but couldn't find anything
> definitive...

Hi David,

It is my understanding that you still need to add the securityMechanism
attribute to the connection URL in order to get password encryption.

http://db.apache.org/derby/docs/dev/ref/rrefattribsecmech.html:

  Clear Text Password security is the default if you do not specify the
  securityMechanism attribute and you specify both the user=userName and
  password=userPassword attributes.

--
Knut Anders