• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Password formula

Jake Bunce

XenForo moderator
Staff member
The passwords are stored in the xf_user_authenticate table in the database. See this file for the auth code:


XenForo uses a salted double hash using either SHA1 OR SHA256:

sha1(sha1(password) . salt)


sha256(sha256(password) . salt)
Hello, everyone. Sorry to necro an old thread, but I've been reading into crypto lately as my line of work in software development calls for me to know it better than what I currently do.

So I've got to ask: are we just using hashing algorithms, or are we using bcrypt or scrypt to store passwords?


Sorry to necro this thread a second time but nothing newer seems to be available. I'm wondering if there's a way to use better versions of SHA or other algorithms. Can we "upgrade" to SHA-512 or even SHA-512/256?

Also, if we've migrated a DB over from vB, is there a way to force a rehash of all passwords or is it best to simply force a password reset and make sure SHA-256 is toggled?

We'd appreciate any help or insight on this matter :)