One of the issues is that everyone knows phpBB uses md5 to 'encrypt' the passwords, so if you can get someones password by an sql injection exploit, you know how to brute force it (using mdcrack for example).
If the admins alter the php code to change the encryption algorithm, then a would be hacker would have a lot harder time trying to crack it.
Even with MD5, if you choose a password >9 characters with a mix of upper/lower case, numbers and non-alpha characters, brute forcing it using a PC would be extremely time consuming.
|