you could just remove the md5 function if that's what you really want

Just out of curiosity, why would you want to see your users passwords? I would make it very clear that they will be stored plaintext before people sign up so they know what they are getting into. I personally would never sign up to somewhere that stores passwords in plaintext. In this day and age what you're suggesting seems absolutely absurd to me.

Anything like that sounds incredibly dodgy, if you get hacked your users are at the mercy of your lax safety. I don't know if this could have any legal ramifications for you. I'd also be worried that you are going to use passwords for your own gain and brute force attacks.

Don't take this as a dig, but it really is a serious concern, especially as forums such as this are trying to raise awareness of the importance of safety and security. Unless you're using this in complete isolation I wouldn't even consider removing the hash function, and I can't even see why you would want to do it in isolation.

Agreed ..( I've been following the OPs' other threads on the same "subject" the "why" is intriguing..and in the absence of explanation/clarification ..somewhat disturbing..as many people use the same passwords for many things ..

let's remember though that you only have to take security measures adequate to protect the data that you require from your users, if it's only an email address or even just a username then there isn't really any liability nor have you gone against personal privacy laws.

if people use the same password everywhere then that's their own problem. I have a range of passwords and I am very aware of where I use what.

Plus you never have any idea what sites can view your password, any site that can send you your existing password is at least using 2 way encryption, is that any better than none? Even sites who always change your password when you ask for it aren't necessarily encrypting it properly.

If we wanted to be really picky even MD5 can be broken, which most sites use, so where do we draw the line?

You must take adequate security measures to protect the data you collect, if you collect little or no data that is deemed personal or sensitive then you don't need much or any security.

Your users behaviours on other sites is not a liability or really a concern.

I appreciate what you are saying, and yes md5 can be broken, but I think it's better to have some layer of protection then no protection, especially if you are going to be using a CMS with open source code.Every layer of protection is more likely to deter all but the most determined of hackers.

I think what worries me more is the fact the OP said that they want to see the users password. Unless he plans on replying to every forgotten password request himself, what need is there to see it?

I know it's not really the responsibilty of a site owner to ensure users use new passwords for everything, but shouldn't we make every site as simple as possible for users and code in that security?

Lawsuit waiting to happen.

No lawsuits happening.

I know of Alexa 1000 community sites which have the functionality to send you your current password by email in case you have forgotten it. The only way they can do this is by either having the password stored in plain text, or having the password stored with a reversible encryption where the decryption algorithm is stored on the server.

I remember the OP saying something about copying user information from one users table in a database to a blog users table. Copying the password column would give the most problems if they are encrypted with different hashes. Storing all passwords in plain text would solve that problem, although I agree it is not the best solution from a security point of view.

I imagine the average user has no clue what md5 is. I've always assumed sites used plain text to store passwords and so I have always used different passwords for different places.