Quote:
Originally Posted by AshG
i have done a lot of work on sql databases in my time and the encriptions are not hard to get around if you know what you are doing. 
i run a phpbb forum and have got users passwords out of the tables and decrypted them when they have forgot thir passwords. takes about 5mins if you have the correct tools. |
Sorry, that's utter bollocks, written by someone that can't even spell 'encryption', let alone be expected to understand how it works. The whole point of a forward encryption system, for example md5, is that the only way around it. Unfortunately for you, you're picking on my specialist subject as I'm a security analyst contractor working mainly for the high street banks.
Pretty much any PHP+MySQL web application will use either md5 or SHA1 to secure the passwords in the database. Whilst md5 has been shown to be insecure, it's not a trivial job to crack it, and only works in a limited number of cases. For the level of security required for sites like this, I would personally consider it perfectly secure enough, but I wouldn't want to send my credit card number in public view using it. It's also easier on the CPU than SHA1, so on a busy site it could improve performance.
SHA1 again has weaknesses in a tiny number of cases. I've yet to see a hack attempt on any system I've worked on that relied on a weakness in it, and if they guys I have to defend against don't know how to do it, nobody does. It is heavier on the CPU though, which is why most sites will stick with md5.
In short, if you can decode someone's password in a few minutes then your implementation is either stupidly out of date or has been written by a complete idiot.