DaveP,
I would point out that with regards this:
There are several points of entry into xoops.
First is the database tables, where the password can be read and deciphered quite easily. This requires someone with database read rights at the least on user tables.
Xoops stores md5 encrypted versions of the password, so to break this would meaning running automated comparisons until you hit the combination that provides the correct encrypted format.
Mark
