As well, if a person has the administrator right on your board, he can download the database, and do anything with it, like obtain the md5 encrypted password of all users of your board and you can guest what can happen after that...
Some people use the same password for a discussion board and an hotmail account...
Don't give admin right to someone can do damage to your board and to the users of your board...
What he can setup an identical board offline and try to brute force the passwords? Or I guess they could just delete the MD5 in the database, thus removing passwords. Or they could just go to Mangement section of Users and enter in a username and change the passwords.
I'm getting the feeling you mean they can reverse the MD5, which is 100% impossible since it is a one-way-hash.
That's been discussed many
times before ... and is neither really correct, nor entirely wrong:
Use the search function - however, the point is, you don't need to actually "reverse engineer" the hash, the majority of passwords is likely to be extremely simple and SHORT, hence they are prone to dictionary based attacks, which comes down to simply generating the corresponding hashes for a dictionary and then compare the resulting hash table against the hashed password that you need to know.
Any password that's not too complex (i.e. max. extended ascii charset) and not much longer than ~10 bytes, can be easily obtained using such an approach.
The catch is however, that you first need to create the corresponding hash databases, depending on the desired complexity this can take several weeks or even months, though.
But there are very simple scripts available that allow you to put that data into a SQL table, so that you can use that database once it's been created.
Again: this is NOT a weakness of phpBB - not even of MD5 itself, it's merely a weakness on the user side of things - even though it'd be a good thing if phpBB supported passwords > 32 bytes.
However, as soon as you have admin rights (=> the possibility to run SQL queries) you can simply do anything with the DB and won't have to actually care for any (user) passwords because anything is stored entirely unencrypted in the DB itself, so you could for example reset the password or clone a user and then reset the password in order to investigate said account.
By the way: I don't think it'd appropriate to delete ANYTHING in this thread, after all NOTHING really serious has been discussed so far: anybody
who knows a bit about php/mySQL or even phpBB would know how to actually do such things anyway ...
So there's no point in censoring such information: security by obscurity doesn't work after all.