Password formula

[SClark]

How does XenForo hash passwords.

sha1(username) . sh512(password)

I'm wanting to update the following, an include xenforo in the mix.

 

[ManagerJosh]

How does XenForo hash passwords.

sha1(username) . sh512(password)

I'm wanting to update the following, an include xenforo in the mix.

XenForo uses md5(md5(password) . salt) as its password hashing scheme

 

[SClark]

Thanks, Let you know if I have any trouble.

 

[Deebs]

XenForo uses md5(md5(password) . salt) as its password hashing scheme

Wrong.

                if (extension_loaded('hash'))
                {
                        $this->_hashFunc = 'sha256';        
                }
                else
                {
                        $this->_hashFunc = 'sha1';
                }

 

[SClark]

Should would it be?


sha256(md5(password) . salt)

 

[Deebs]

Should would it be?


sha256(md5(password) . salt)

Post your question here: http://xenforo.com/community/forums/xenforo-questions-and-support.25/ and I can then continue to answer it.

 

[James]

XenForo uses md5(md5(password) . salt) as its password hashing scheme

vBulletin, not XF

XF uses sha1.

 

[Deebs]

vBulletin, not XF

XF uses sha1.

XF can use SHA256 if it is available.

 

[ManagerJosh]

vBulletin, not XF

XF uses sha1.

I thought it was MD5

 

[Jake Bunce]

The passwords are stored in the xf_user_authenticate table in the database. See this file for the auth code:

library/XenForo/Authentication/Core.php

XenForo uses a salted double hash using either SHA1 OR SHA256:

sha1(sha1(password) . salt)

or:

sha256(sha256(password) . salt)

 

[Mouth]

XF can use SHA256 if it is available.

How do you make it available? Is it a configuration setting? An OS level library that needs to be installed?

 

[Jake Bunce]

library/XenForo/Authentication/Core.php

	protected function _setupHash()
	{
		if ($this->_hashFunc)
		{
			return;
		}

		if (extension_loaded('hash'))
		{
			$this->_hashFunc = 'sha256';
		}
		else
		{
			$this->_hashFunc = 'sha1';
		}
	}

The 'hash' extension must be available in your PHP configuration.

http://us2.php.net/manual/en/hash.requirements.php

 

[GiantJoe]

Hello, everyone. Sorry to necro an old thread, but I've been reading into crypto lately as my line of work in software development calls for me to know it better than what I currently do.

So I've got to ask: are we just using hashing algorithms, or are we using bcrypt or scrypt to store passwords?

Thanks.

 

[Paul B]

As per Mike's comments: http://xenforo.com/community/thread...t-my-needs-before-purchase.58560/#post-623290

XenForo supports a number of authentication methods; the default system uses bcrypt.

 

[Balerathon]

Hi,

Sorry to necro this thread a second time but nothing newer seems to be available. I'm wondering if there's a way to use better versions of SHA or other algorithms. Can we "upgrade" to SHA-512 or even SHA-512/256?

Also, if we've migrated a DB over from vB, is there a way to force a rehash of all passwords or is it best to simply force a password reset and make sure SHA-256 is toggled?

We'd appreciate any help or insight on this matter

Cheers

 

[Paul B]

There are no options related to that.

 

[Balerathon]

Thanks for the fast reply. Was that also for the re-hash question?

Thanks!

 

[Dretax]

The passwords are stored in the xf_user_authenticate table in the database. See this file for the auth code:

library/XenForo/Authentication/Core.php

XenForo uses a salted double hash using either SHA1 OR SHA256:

sha1(sha1(password) . salt)

or:

sha256(sha256(password) . salt)

Does that mean:

sha256(sha256(password) + globalxenforosalt) M

 

[tyteen4a03]

Does that mean:

sha256(sha256(password) + globalxenforosalt) M

The salt is per-user.

Also XF has since moved on to bcrypt which means that the hashed password contains the salt within the string.

Hi,

Sorry to necro this thread a second time but nothing newer seems to be available. I'm wondering if there's a way to use better versions of SHA or other algorithms. Can we "upgrade" to SHA-512 or even SHA-512/256?

Also, if we've migrated a DB over from vB, is there a way to force a rehash of all passwords or is it best to simply force a password reset and make sure SHA-256 is toggled?

We'd appreciate any help or insight on this matter

Cheers

There's not much point in using a "better" SHA version except increasing wait times. SHA-256 is plenty strong. However SHA (and MD5) are generic hashing algorithms while bcrypt/argon2 is specifically designed for password hashing (easy to verify, hard to brute force). You should always use bcrypt/argon2 in new passwords.

For old passwords you have two options:
1. Wait for the user to re-login; XF will re-hash the password to a more secure algorithm automatically.
2. Require everybody to reset everybody's passwords.

Option 1 is much less invasive and is preferred unless your threat model justifies the inconvenience.

 

[Dretax]

The salt is per-user.

Also XF has since moved on to bcrypt which means that the hashed password contains the salt within the string.



There's not much point in using a "better" SHA version except increasing wait times. SHA-256 is plenty strong. However SHA (and MD5) are generic hashing algorithms while bcrypt/argon2 is specifically designed for password hashing (easy to verify, hard to brute force). You should always use bcrypt/argon2 in new passwords.

For old passwords you have two options:
1. Wait for the user to re-login; XF will re-hash the password to a more secure algorithm automatically.
2. Require everybody to reset everybody's passwords.

Option 1 is much less invasive and is preferred unless your threat model justifies the inconvenience.

https://xenforo.com/community/threads/xenforo-password-blob-to-sha256.145231/post-1238284