I posted the following in another topic, but wanted to create a new one because I thought it mightn't get read where it is and I am quite concerned...

Posted By: ChristopherOh and how silly can you be? You used the same (extremely simple and unsecure) password - 7 letters, all lowercase, yes I know what it was - for both accounts... you may want to change that now eh?

I dunno about anyone else, but personally i'm wondering how you know his password? Surely all passwords are securely encrypted apon registering? I am a little shocked to say the least

Sorry I haven't read any other threads since yesterday but thought I should reply to this ASAP.

Yes it is an MD5 hash, which you are right in saying is one way, but there are many tables of MD5 sums available for searching, and unfortunately it was neccessary to decode the password to try and narrow out the possibility of coincedence before accusing someone of duplicate accounts used for abuse.

Upon noticing the abusing user account, first thoughts were to check IPs, both were the same (static) IP address, that was strike one, strike two came when comparing the MD5 hashes of both user accounts as they were the same (the only 2 accounts with this hash as well), but of cause 2 people may have the same password, so this could have been a coincedence, which is why I used a brute force method on it to check it wasn't purely password or the like, as the password wasn't something "disposable" it was too much of a coincedence.

But in short, the database is securely protected on the server, access is not only restricted, but the MySQL user password in use is ridiculously long and contains a huge range of special characters, without this database access I wouldn't have been able to touch the MD5 hash even, but once people have access to hashed passwords, you should know that all basic passwords (1 - 7 characters (not mixed cased or alphanumeric)) are easy to decode within an hour at most using a brute force method.

Just making it 8 characters long and including a single number or special character would have made it near impossible to decode, so I think the real thing people should worry about it the security of their passwords, using basic words that are all lowercase is completely insecure full stop.

You're more than welcome as it's a perfectly valid question to want answering!