Yes! I suggested that we have a separate 'is_developer' status. I assume that in addition to the problem you mentioned, people could also issue destructive commands easily enough. I suspect that even with is_developer, we should also do something about the password problem. I don't think there is any good reason to store the passwords in plaintext. Well, there's one -- it's nice to be able to email someone their password if they forget it. But a better (more secure) solution is to email them a *new* password if they forget their *old* one. The way this should work is this: 1. If you forget your password, you can just enter your email address on the site. 2. A new password is randomly selected and mailed to your email address. At this juncture, though, *either* password should work, both the old and the new. (This prevents a denial-of-service pest from locking you out by requesting your password every 5 minutes, thus causing your old one not to work.) 3. If you log in with your new password, it replaces your real password. Or else you are prompted to select a new password at that point. 4. If you never log in with the new password, nothing else needs to happen. Your old one will still work. In any event, ALL of these passwords should be stored encrypted. ------------- The key is to protect against people being annoying, while also giving some degree of security. Wikipedia passwords aren't so precious -- but still, a certain level of security makes good sense. It isn't so much a concern about people "breaking into your wikipedia account" -- in the old days, the whole notion of an "account" was a total fiction anyway. It's more the concern raised by Lee -- people shouldn't, but they do reuse passwords for both sensitive and nonsensitive things. As for me, you can now use my password from the wikipedia database to see all sorts of things requiring free registration all over the web. :-)