• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Password formula

Jake Bunce

XenForo moderator
Staff member
#10
The passwords are stored in the xf_user_authenticate table in the database. See this file for the auth code:

library/XenForo/Authentication/Core.php

XenForo uses a salted double hash using either SHA1 OR SHA256:

sha1(sha1(password) . salt)

or:

sha256(sha256(password) . salt)
 
#13
Hello, everyone. Sorry to necro an old thread, but I've been reading into crypto lately as my line of work in software development calls for me to know it better than what I currently do.

So I've got to ask: are we just using hashing algorithms, or are we using bcrypt or scrypt to store passwords?

Thanks.
 
#15
Hi,

Sorry to necro this thread a second time but nothing newer seems to be available. I'm wondering if there's a way to use better versions of SHA or other algorithms. Can we "upgrade" to SHA-512 or even SHA-512/256?

Also, if we've migrated a DB over from vB, is there a way to force a rehash of all passwords or is it best to simply force a password reset and make sure SHA-256 is toggled?

We'd appreciate any help or insight on this matter :)

Cheers