Why you should (or shouldn't) have very secure passwords

More than a few times now i've had issues with users on a Drupal site where they've stated that something doesn't work for them, and its very useful to put yourself in their shoes and see what they're seeing. Of course as a site administrator you can see all their data anyway, but the permissions are different. What you really want is their password.
Of course you can only see the md5 hash of their password in the database, but so long as they've chosen a fairly weak password you can easily get it. Just Google for md5 crack and you'll find a series of sites that have massive databases of md5 hashes with their respective passwords (you may need to try more than one). If they've got a good password then you wont get in that way.

There are other ways of doing this than getting their password, the Masquerade module does just this, though i've not tried it out yet


Add new comment