I had my board compromised, no clue how but it did. Thats out of the discussion. And that compromiser decoded the passwords and now has just a handful of my users passwords. He had direct mySQL access and would run queries picking up whoevers password. Thank god, he only got a few, but point being he decoded them! I thought they were salted or something. I did some reading and is it possible to switch the storing to a sha1. Or decode the md5 into a sha1, then when checking auth. You make md5, then encode in sha1. Or any of the sha family. I was just wondering if anyone could lead me where to start (file wise), so I could do it, or take it upon yourself.