Password encryption and storage

Am I correct assuming the password is stored in MySQL? What encryption is used? Would it be easy for an external program to access this password (running on server)?
 
Last edited:

Mike

XenForo developer
Staff member
It is in the database. There are varying formats for the password, though the default is bcrypt. It would be possible for this to be accessed via the database directly, though this would require custom coding to authenticate.
 

Mike

XenForo developer
Staff member
Yes. (Though 2.1 does also potentially expose some of the new options for password_hash if your PHP supports it. That's entirely opt-in via the config file though, as it also requires non-standard PHP compilations.)
 
Top