I have been bouncing around the SilverStripe database for a few hours, and one of the things that has immediately jumped out at me is that member passwords in the `Member` table are stored unencrypted.
Shouldn't there should be some sort of encryption, at least md5, and perhaps a dash of salt as well. Many (most?) people recycle at least some of their passwords for various services; I am not sure of other people's general opinion on passwords, but I for one would be more comfortable in knowing that my password is not sitting in a database somewhere in clear view of anyone with access to it.
Is there any reason why the passwords are stored in clear text that I am not aware of? And wouldn't a change to encrypted passwords be a fairly trivial task? (I have not yet delved deep enough into the SilverStripe database queries to see how many references to that table would need to be ammended to make such a change).
Thoughts?