Hi there,

I'm wondering about the security features with registered users and editors.

In the admin when looking at the User database, passwords are visibly (not encrypted) along with usernames. This sort of defeats the purpose of having them doesn't it? I know people watch unencrypted browser transactions, what's to prevent them from getting a hold of all the usernames and passwords if admin is not running under SSL?

Has anyone encrypted the passwords in the database?

Also, has anyone come up with a "forgot your password?" To allow users to find out their passwords?

Peace.

Kyle

The nonencrypted passwords is more of a theoretical than actual problem.

First of all, if someone did sit there to try to find your passwords, what could they do with them?

For financial transactions it's possible for someone to tap into the routers, or other networks leading to those machines, and try to sniff out packets and passwords. The benefits of doing that have some reward.

If you look, the most common security breach is not stealing packet passwords -- but hacking the system and stealing the password and charge card log files.

Protect your admin directory properly, and the database files, and that's the best security.

There really is no good solution for browser authentication or server authentication using encryption.