Something here is something that you can test out..
I've added support for encrypted passwords now since the clear text storage is not really secure since a lot of people use the same password everywhere.
So now you can specify in sapphire/_config.php if you want to encrypt your passwords or not (Security::encrypt_passwords(bool)). Additionally you can specify the algorithm you want to use and also if a salt should be used to increase the security even more (Security::set_password_encryption_algorithm(algorithm, use_salt)).
To make it easy to migrate to encrypted passwords, there is now also a new action that you can call, namely yoursite.com/security/encryptallpasswords. You will need to authenticate yourself with an administrator account and then all clear text passwords will be encrypted according to your settings.
If you decide to change the settings later it's no problem. All new user accounts will be created according to the new settings and the old ones will be updated to those settings when you assign them a new password (otherwise they will continue to use the old settings).
All of these changes are in r38608.
As a consequence of this new features, the "I've lost my password" feature doesn't work anymore since it now sends out the encrypted (and maybe salted) password which can't be used to login.
I'm aware of that problem and will [url=http://support.silverstripe.com/gsoc/ticket/48]fix it soon[/url].
Could you all please test the new code and report if everything works fine for you or if there are any problems?
Thanks a lot and have a great weekend