If a user has a copy of a vB database 2.2.6, is it possiable for him to see passwords?

No. The passwords are saved encrypded since 2.2.0.
MD5-Encryption can by no means be decrypted.

No. The passwords are saved encrypded since 2.2.0.
MD5-Encryption can by no means be decrypted.
yeah but can't someone just use the userid and the md5 hash in a modified cookie?

yeah but can't someone just use the userid and the md5 hash in a modified cookie?

Hm. Don't get the point about this ...
A MD5-hashed string cannot be decrypted because it's a one-way-method. That's why hashing is used for it. :)

Why do you mention the user-id and the cookie? Has nothing to do with the algorithm ... :confused:

no i don't mean it that way around. i mean that the cookie set by vb for automatic login stores the userid and the md5 hash right? so the md5 hash in the cookie and the md5 hash in the database are the same. so it could (that's what i asked / am unsure about) be possible for the person with his db backup to just insert somebody else's userid and md5 hash into his own cookie to get access to their account.

that wouldn't give the user the password but still he would be able to access any account on the board which is basically as of much use as the actual password.

example:
user 1 has the db backup and is a registered member of his forums
he changes his cookie to have user 2's userid and md5 hash
the question now is if that would give him access to user 2's account, cuz THAT would then be a security problem if he gave out the db backup to an user.

so it could (that's what i asked / am unsure about) be possible for the person with his db backup to just insert somebody else's userid and md5 hash into his own cookie to get access to their account.

In this way, it makes sense ...
but is this really possible?
(Changing a cookie, I mean).

In this way, it makes sense ...
but is this really possible?
(Changing a cookie, I mean).
afaik the cookie specification states that a cookie is nothing else then a plain text file that may not exceed the size of 4 kb, so yes it's possible to edit it. i think the bigger problem would be the server accepting it or not. would also explain why ppl are always told to use different passwords for everything. :)