Every few weeks VB4 gets a security fix. How's the security of Xenforo compared to VB4 and other commercial forum scripts?
Realistically - does it matter which hashing algorithm is used considering the algorithm is already publicly available? As long as they have your hashed password, salt and algorithm it's still the same waiting game.It could use better password hashing. However if people get your hashes you would have other more serious problems to deal with. And vb's hashing wouldn't be any better.
Yes. Some are designed to be hard to crack by GPUs. The old ones like md5, sha etc never anticipated how powerful GPUs would get, only CPUs. GPUs can process millions of hashes per second.Realistically - does it matter which hashing algorithm is used considering the algorithm is already publicly available? As long as they have your hashed password, salt and algorithm it's still the same waiting game.
This isn't really a good comparison.Since launch XF has only had to release a single security fix, and it was for a third party library.
Easy solution is to force SSL for your entire site. If you are that serious about security, it's something you should be doing anyway to avoid session cookie theft, etc.The only major problem I can think of at the moment with XenForo is this; http://xenforo.com/community/threads/suggestion-regarding-login-security.22070/
I'm not too sure if it was ever fixed as no one on the XenForo team replied to the thread but other than that, it's great software and secure.