Encrypt Passwords

[Polo5]

I believe at this point indexu is really vulnerable to hackers, since the passwords are jus in plain text stored in the database.

I suggest that for version 4 the passwords get encrypted, md5 would be good enough...

[Chroder]

I agree.

Though, if someone has access to your database then you have other problems to deal with

[aladdin1]

What are you trying to protect?
Maybe someone could explain to me what is the purpose of password encyiption, if a hacker gain access to your database the only valuable data are your members information, especially their CC number (which Indexu does not store) or email address.
Maybe you are speaking about admin password? the only way a hacker can gain access to it is to look in your database, if the hacker gain access to your database you have lost already and no amount of password encryption is going to save you!!!

[Chroder]

Storing passwords in plain text is just silly, IMO. No one should know a users password except the user. You wouldn't want a bank clerk knowing your pin code to your bank account, would you?

A lot of users use the same password for multiple accounts, what if you registered on a site and the admin read your password? All of a sudden, that guy has access to everything from your IndexU account to your hotmail account.

Or what if a new exploit came about and a cracker could gain read-only access to the database? Same problems.

If you encrypt a password, you eliminate a bunch of privacy and potential security issues.