Forums as well as quite a few directories and rating scripts require people to register and give a password. I've just come across a vBulletin installation that has bypassed the usual user registration to store passwords as plain text rather than md5() encrypted values. I got to thinking... surely if a password isn't going to be securely stored the site should declare it? But if the site owner is too ignorant to know to encrypt then they won't know to make the declaration! Then perhaps sites that encrypt passwords should declare it. And how do we verify it when people are deliberately cheating us?
If I knew how to and had vBulletin set to show as plain text, I probably wouldn't want to do it. I wouldn't want hackers knowing it was plain text. From a users side, I probably would want it declared. For example, I think phpBB is not encrypted, so I use a different password when I register on that board and boards I'm not sure if it's encrypted, a password that I don't use any where else.
In this particular instance the users are less likely to be tech savvy so won't be thinking about password security, but normally the use of vBulletin gives a sense of security.
I couldn't even imagen moving from vBulletin to any other system!!! Nothing'll ever beat vBulletin. If any one doesn't have database access, they should get a new host. It does help to be able to make back-ups!!!
vBulletin is no doubt the best forum software out there... I would prefer not to signup on any site, that doent use encrypted password. My all sites that requires a login/user sign up stores password in encrypted form.
You know what's an interesting site that has no encrypted passwords? MySpace. If you request your password to be emailed, it's emailed (not just changed like it should). Crazy for a site that size.
Considering that there are tons of people who are using the same password for everything, a forum owner with access to that password could potentially do some serious damage.
Yeah, that's what I was thinking. They're too busy trying to get as many Friends as they can (as if that actually means anything) and trying to be cool than worry about anything of actual important (and thus uncool, esp if it requires effort or taxes their tiny excuse for brains) like having proper security in place It must be a scammers dream: a mass gathering of retards and techno-idiots: "lolz, im typing on a website, I'm so kewl! Hey, this random email from some guy in Nig... Nige... someplace in Africa (lolz, where is that?) is promising me mega bux! It must be true! Where's my credit card..."
At the end of the day even MD5s are easily B-forced. I would not do anything as long as i don't claim the passwords to be encrypted.