The password should be give twice instead of duplicated.
Duplicating the password is not the way this API should be used. The intent of this API is to make sure that the user does not mistype the password. Duplicating the password circumvents this safety mechanism.
Example 1:
String password=request.getParameter("password");
...
DefaultUser user = (DefaultUser) ESAPI.authenticator().createUser(username, password, password);
[1] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3320.5 CAT II
[2] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 521
[3] OWASP ESAPI Secure Coding API: User
[4] Standards Mapping - FIPS200 - (FISMA) IA
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 3.4, Requirement 6.5.3, Requirement 8.4
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 3.4, Requirement 6.5.8, Requirement 8.4