I just found out that that s9y is using 'unsalted' MD5-Hashes to store the passwords into the database.
I found out because another user is using the same password as me which results in the same hash.
It is a common techniqe to "salt" the passwords by concatenating them with the user name before hashing them.
This has two advantages:
- 1. The hash of the same password looks different for two users so nobody can see that another user is using the same password.
2. It is a simple protection to rainbow table attacks.
Usually this feature can be implemented with one to several (few) lines of code - if I had any Idea of PHP i'd supply a patch