I have created an anonymous account to write this though I can see the emails.
I work as a penetration tester. Ive been asked recently to test nopcommerce. I dont really know much about it code wise but what I have tested (hashed password wise) as Hash(SHA1):Salt is a joke.
The first very large site it took less than 4 minutes to reverse 40% of the passwords from a well used password list. It took roughly about 2 days to reverse 99% of the remaining passwords.
This was pretty much the case for the rest of them.
In this day and age this is very very very very important.
I dont know what is being updated in this codebase currently but this should be it. And I really mean above everything else.
SHA1:Hash is just such a joke now I cant believe its being used here.
It doesnt matter if you understand what this means but simply put from somebody that knows shout as loud as you can. If whoever is in charge doesnt change this I would strongly suggest you use something else till they do.
Use this software currently at you peril...