Hi,

Are the passwords going to be encrypted in the new version?

If not, I think you should consider implementing this

anybody?

If we encrypt passwords then one can no longer ask for their password to be sent by email. They can only request a new password to be sent. I would agree that perhaps an option could be added where you choose which behaviour you wish to have though I doubt it could be added to v2.0 at this time, perhaps v2.1

Originally posted by freddie
If we encrypt passwords then one can no longer ask for their password to be sent by email. They can only request a new password to be sent.[clip]

I would find this acceptable. If they forget their password and request that one be sent to them, assign them a random password, send it to them, and store this in the database. They can change their password when they log back in.

The big problem with plain text passwords is that users generally don't have many of these, and they will reuse them from one place to another. Allowing a vB admin access to their bulletin board password is probably going to grant that admin access to many more accounts than the user realizes.

I have changed all my vB passwords now to be different from anything I use anywhere else - including on other vB systems - for this very reason. I did not realize that my vB password was plain text in the database until I was poking around in the user table one day. I guess I should have realized it when I read about the "send me my password" utility, but I wasn't thinking.

-t