Is there a hack available that the userpasswords that are stored in the database, are encryped?
I'm not so good in mysql, but i think that it can be done by getting the encrypted password from the db, and encrypt the password that the user enters, and then compare it or something?

I would just be more safe. Because i run more often and more often into servers, wich have a standard phpadmin dir, provided by their isp, with isn't password protected, so anyone can read out the names and passwords..

If the passwords will be stored in the database with lets say md5 encryption, on those servers the information will still be readable, but the passwords will not be, cause the password can't be decrypted without entering a password and comparing it.

But then again, i don't think this is possible.. because, how would the passmailer work then?

But think about it :)

Both PHP and MySQL already have a standard encryption support built in. I agree it would be more secure, but I believe it's the admins responsibility to make sure things are secure. If you can't secure your equipment and software you deserve to be exploited.

Plus, even standard UNIX salt encryption can be broken by brute force. I have written programs in Perl, C and C++ that, given the encrypted password, will break it. Depending on the password and the machine it can take a lot of time, however you can divide the list of possible combinations down and spread it over a few computers. Given a handful of computers cranking away any password could be broken in a week or two. The other part that really makes this easy is the fact that current salt encryption can only encrypt a max of 8 characters. There are some algorithums out there that will break strings down into 8 character segments and encrypt each segment, however they aren't standard.


To make a long story even longer, I like users having the ability to have their password mailed to them. :)

basically, what you're saying is that every encryption can be broken. yeah sure, you're completely right.
But! Even if you spread it over more boxes, as you say, you will need lets say something like 2 weeks to break it.
Better 2 weeks, then no time at all.
And true, the servers SHOULD be more safe, but i've experienced a couple of times that the enduser wasn't even aware of the risks..
It's the ISP's task, but still i think that i, as end user on a discussion board, would beel more comfertable, knowing that my password is encoded, that even admin's can't see it blindly..

MD5 encryption can't be undone. This means that if a user loses their password, there is no way to get it back. Bammm lost user.

Originally posted by wluke
MD5 encryption can't be undone. This means that if a user loses their password, there is no way to get it back. Bammm lost user. But... if the users loses it's password, he/she must get it through the passmailer.

Why don't generate a random password then? I have that implemented in my 1.1.5 now when someone registers..

And if a member loses their password, it doesn't matter if they get their old password back, or a randomly generated one.. it's all the same to them, cuz they have to change it anyway..