Your passwords are safe!
Before your login data is submitted, the password is converted into a hash instead of sending it plaintext to the server, where it is also only available as a hash in the database.
As an opensource project, todoyu's source code is available to all people. All community members can check the code permanently for possible security holes.
If you choose to stay logged in on your computer, the cookie with your login informations is encrypted with tripleDES.
Based on the "Zend Security Review" we improved our security concept to prevent security problems in the future.
todoyu offers a simple way how all the extensions can protect themself agains XSS attacks. The whole core and all basic extensions strictly validate all user input to filter out possible attacks. The database abstraction automatically escapes all SQL requests, so no extension can cause SQL injection problems.