[DaffyDuck]

[ QUOTE ]
[ QUOTE ]
[ QUOTE ]

Actually it would be so complex that if you were able to perform this feat of legerdemain you should be hacking 100 million dollar Federal Reserve Bank accounts rather than PP accounts.


[/ QUOTE ]

Actually it would be so easy that anybody with an intermediate amount of development experience could probably pull it off in a day. All that would be involved is replacing the code that currently encrypts the password before it is written to the db with code that just leaves it as it is.

[/ QUOTE ]

It doesn't work that way, at least it shouldn't work in that manner. My company developed a large amount of online gaming software in the early years and it would be nearly impossible to do what you describe and completely impossible without being easily detected not only by internal safeguards but by the end uses themselves.

[/ QUOTE ]

I'm guessing you weren't a programmer at that company.

The argument here isn't about how hard it would be to capture passwords on a site you didn't own, it's about how easy it would be to capture passwords on a site you DID own. Forum software does whatever you want it to if you own the site. If you want to log the passwords or store them in plain text and not encrypt them, it is your site and your code and there ain't no trick to it. To say that it pose any kind of difficulty at all is just ignorance.

So, if I wanted to put up a web site and force people to enter a password and I wanted to harvest those passwords I would bet a significant percentage of those passwords would be usable for any and all accounts, forums, etc. that that person uses. Probably even their email account. It's probably the password they have on a post-it note on their monitor and that they use everywhere they need a password. That is why you should never use common passwords at different Internet stes.