This is yet another example of why passwords should never be stored in a sites database (in clear text or encrypted). The only correct way to store passwords is a salted hash. I knew this two years ago when I created www.my-msi.net. Even if a hacker were able to get a list of emails and 'passwords' the 'passwords' would be useless since more than one password can hash to the same value, there is no way (on earth or heaven) to go from a hash to clear text! Nore do we store credit card info in the database. We let Amazon handle all credit transaction and only the cookie that Amazon returns is stored in the database. I dare anyone to try SQL Injection on the site. It is written in ASP.Net and those controls neuter SQL!