1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password formula

Discussion in 'XenForo Pre-Sales Questions' started by SClark, May 30, 2012.

  1. SClark

    SClark New Member

    How does XenForo hash passwords.

    sha1(username) . sh512(password)

    I'm wanting to update the following, an include xenforo in the mix.
     
  2. ManagerJosh

    ManagerJosh Well-Known Member

    XenForo uses md5(md5(password) . salt) as its password hashing scheme
     
    SClark likes this.
  3. SClark

    SClark New Member

    Thanks, Let you know if I have any trouble.
     
  4. Deebs

    Deebs Well-Known Member

    Wrong.

    Code:
                    if (extension_loaded('hash'))
                    {
                            $this->_hashFunc = 'sha256';        
                    }
                    else
                    {
                            $this->_hashFunc = 'sha1';
                    }
     
  5. SClark

    SClark New Member

    Should would it be?


    sha256(md5(password) . salt)
     
  6. Deebs

    Deebs Well-Known Member

  7. James

    James Well-Known Member

    vBulletin, not XF ;)

    XF uses sha1.
     
  8. Deebs

    Deebs Well-Known Member

    XF can use SHA256 if it is available.
     
    James likes this.
  9. ManagerJosh

    ManagerJosh Well-Known Member

    I thought it was MD5 :( :( :(
     
  10. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    The passwords are stored in the xf_user_authenticate table in the database. See this file for the auth code:

    library/XenForo/Authentication/Core.php

    XenForo uses a salted double hash using either SHA1 OR SHA256:

    sha1(sha1(password) . salt)

    or:

    sha256(sha256(password) . salt)
     
    a legacy reborn likes this.
  11. Mouth

    Mouth Well-Known Member

    How do you make it available? Is it a configuration setting? An OS level library that needs to be installed?
     
  12. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    library/XenForo/Authentication/Core.php

    Code:
    	protected function _setupHash()
    	{
    		if ($this->_hashFunc)
    		{
    			return;
    		}
    
    		if (extension_loaded('hash'))
    		{
    			$this->_hashFunc = 'sha256';
    		}
    		else
    		{
    			$this->_hashFunc = 'sha1';
    		}
    	}
    
    The 'hash' extension must be available in your PHP configuration.

    http://us2.php.net/manual/en/hash.requirements.php
     
    Mouth likes this.
  13. GiantJoe

    GiantJoe Member

    Hello, everyone. Sorry to necro an old thread, but I've been reading into crypto lately as my line of work in software development calls for me to know it better than what I currently do.

    So I've got to ask: are we just using hashing algorithms, or are we using bcrypt or scrypt to store passwords?

    Thanks.
     
  14. Brogan

    Brogan XenForo Moderator Staff Member

    GiantJoe likes this.
  15. Balerathon

    Balerathon New Member

    Hi,

    Sorry to necro this thread a second time but nothing newer seems to be available. I'm wondering if there's a way to use better versions of SHA or other algorithms. Can we "upgrade" to SHA-512 or even SHA-512/256?

    Also, if we've migrated a DB over from vB, is there a way to force a rehash of all passwords or is it best to simply force a password reset and make sure SHA-256 is toggled?

    We'd appreciate any help or insight on this matter :)

    Cheers
     
  16. Brogan

    Brogan XenForo Moderator Staff Member

    There are no options related to that.
     
  17. Balerathon

    Balerathon New Member

    Thanks for the fast reply. Was that also for the re-hash question?

    Thanks!
     

Share This Page