• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Password formula

Status
Not open for further replies.

Jake Bunce

XenForo moderator
Staff member
#10
The passwords are stored in the xf_user_authenticate table in the database. See this file for the auth code:

library/XenForo/Authentication/Core.php

XenForo uses a salted double hash using either SHA1 OR SHA256:

sha1(sha1(password) . salt)

or:

sha256(sha256(password) . salt)
 
#13
Hello, everyone. Sorry to necro an old thread, but I've been reading into crypto lately as my line of work in software development calls for me to know it better than what I currently do.

So I've got to ask: are we just using hashing algorithms, or are we using bcrypt or scrypt to store passwords?

Thanks.
 
#15
Hi,

Sorry to necro this thread a second time but nothing newer seems to be available. I'm wondering if there's a way to use better versions of SHA or other algorithms. Can we "upgrade" to SHA-512 or even SHA-512/256?

Also, if we've migrated a DB over from vB, is there a way to force a rehash of all passwords or is it best to simply force a password reset and make sure SHA-256 is toggled?

We'd appreciate any help or insight on this matter :)

Cheers
 
#18
The passwords are stored in the xf_user_authenticate table in the database. See this file for the auth code:

library/XenForo/Authentication/Core.php

XenForo uses a salted double hash using either SHA1 OR SHA256:

sha1(sha1(password) . salt)

or:

sha256(sha256(password) . salt)
Does that mean:

sha256(sha256(password) + globalxenforosalt) M
 

tyteen4a03

Well-known member
#19
Does that mean:

sha256(sha256(password) + globalxenforosalt) M
The salt is per-user.

Also XF has since moved on to bcrypt which means that the hashed password contains the salt within the string.

Hi,

Sorry to necro this thread a second time but nothing newer seems to be available. I'm wondering if there's a way to use better versions of SHA or other algorithms. Can we "upgrade" to SHA-512 or even SHA-512/256?

Also, if we've migrated a DB over from vB, is there a way to force a rehash of all passwords or is it best to simply force a password reset and make sure SHA-256 is toggled?

We'd appreciate any help or insight on this matter :)

Cheers
There's not much point in using a "better" SHA version except increasing wait times. SHA-256 is plenty strong. However SHA (and MD5) are generic hashing algorithms while bcrypt/argon2 is specifically designed for password hashing (easy to verify, hard to brute force). You should always use bcrypt/argon2 in new passwords.

For old passwords you have two options:
1. Wait for the user to re-login; XF will re-hash the password to a more secure algorithm automatically.
2. Require everybody to reset everybody's passwords.

Option 1 is much less invasive and is preferred unless your threat model justifies the inconvenience.
 
Last edited:
#20
The salt is per-user.

Also XF has since moved on to bcrypt which means that the hashed password contains the salt within the string.



There's not much point in using a "better" SHA version except increasing wait times. SHA-256 is plenty strong. However SHA (and MD5) are generic hashing algorithms while bcrypt/argon2 is specifically designed for password hashing (easy to verify, hard to brute force). You should always use bcrypt/argon2 in new passwords.

For old passwords you have two options:
1. Wait for the user to re-login; XF will re-hash the password to a more secure algorithm automatically.
2. Require everybody to reset everybody's passwords.

Option 1 is much less invasive and is preferred unless your threat model justifies the inconvenience.
https://xenforo.com/community/threads/xenforo-password-blob-to-sha256.145231/post-1238284
 
Status
Not open for further replies.
Top