Hi all! I just pushed a patch for introducing a little bit more security on the user passwords. Currently passwords are stored as MD5 hashes, this is usually pretty secure and can be attacked by bruteforce only in most cases. However there are Databases of common-word-MD5sums available ([1],[2]) which make decrypting weak passwords a matter of seconds. So this is a serious problem where the crypted passes may be available easily (shared hosting). The solution against this is adding a random salt so I added that. Well and while I was at changing that anyway, I made the whole thing configurable. Now the following methods can be used for storing the passwords: * smd5 - Salted MD5 hashing * md5 - Simple MD5 hashing * sha1 - SHA1 hashing * ssha - Salted SHA1 hashing * crypt- The old unix crypt using a 2char salt All methods can be used together, so you can continue to use the old md5 crypted password but can have new password added with any of the other methods. in inc/auth.php are two new functions available: auth_cryptPassword() for crypting a password and auth_verifyPassword() to verify an uncrypted against a crypted one. Currently both of them are used in auth_plain only. Patches for using them in the other auth modules would be welcome. Regards Andi [1] http://md5.crysm.net/ [2] http://md5.rednoize.com/