dunno, cus XOOPS is pretty secure itself. what version had you had installed?

As far as I know, XOOPS is very secure providing that the webmaster has put the appropriate measures in place, such as ensuring verification by an e-mail link, and also thinking of the more common names that a hacker may try to register with and then entering those in the list of barred usernames (such as letmein, test, tesing, admin, webmaster etc). Its certainly not open to SQL Injections and the like (but agagin, this is providing that the webmaster uses the latest version of everything, like MySQL!).

I raised the question here myselfhttps://xoops.org/modules/newbb/viewtopic.php?topic_id=22309&forum=20#forumpost97482 and because MD5 encryption is used, the system is secure as houses really. Just take precautions with the webmastering.

One other point - anyone who collects user data has a duty under the Data Protection Act 1998 (if you are UK based) to ensure they have done everything in their power to keep the data secure. If they fail to do so (for example by not updating their system with the latest patches) they can be liable for prosecution.

Someone should tell Microsoft that as well!!

Out of curiosity, if I use a 16 random character password, will this greatly descrease the chance that my site will be hacked? Or can a good hacker somehow find out a password, no matter the length, in another way?

You can use an extra security module: Anti Dos

This will set back possible security breaches through Denial of service attacks or in general people who will try to programmatically break the user password by trial and error.

I think a site can never be 100% secure, but trying it never hurt anyone

Regards,

Martijn

Um, I'm curious about this too..

Quote:

Even on the front page of this site Xoops.org I don't see the use of the MD5 hash being used. As I under stand it, it needs to happen before the post of the login form or the form ( passwords included ) is readable by anybody sniffing the plain text transmissions.

For a website, I'm working on at work, we md5 hash paswords in the db, but also have a javascript md5 hash algorith that is used on the client side..
We send a one time use random string, which when it is md5 hashed with the users md5 hashed password is then transfered back to us to verify....
I can explain more, but i assume that the dev's here understand.

I just don't see the md5 hash algo on the front page being included.. But I might be missing it.

Flinx