XenForo currently uses sha256, or sha1 if that isn't available. Basically this: PHP: hash('sha256', hash('sha256', $password) . $salt);sha1(sha1($password) . $salt); These hashes aren't ideal for password storage because they are fast and can be cracked fast. I think XenForo should add support for bcrypt and PBKDF2. Most to least preference, depending on availability: scrypt*, bcrypt, PBKDF2, sha256, sha1 *PHP does not currently have an official scrypt implementation.