1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 passwordIterations setting

Discussion in 'XenForo Questions and Support' started by adwade, Aug 29, 2015.

  1. adwade

    adwade Active Member

    • $config['passwordIterations'] - default: 10 
The strength of the bcrypt-based password storage system. Higher numbers are more secure but each increase will roughly double the amount of time it takes to generate or validate a password, leading to higher server usage.​

    Can someone explain a little more about this setting? If 10 is good, is 12 better? If so, is 15 too much?

    Also, what is the Maximum Password Length in XenForo? I can't seem to turn up any info on that, other than this (older) thread: How do I increase the password input size in signup form?
    Last edited: Aug 29, 2015
  2. Mike

    Mike XenForo Developer Staff Member

    If you increase the iterations, it will take longer to verify a login. Setting it too high will create a potential DoS vector. However, if the password hashes ever got leaked, it would make it more difficult to brute force. It's really up to you how you want to trade it off, but 10-12 is probably within a reasonable range. 15 is probably too high.

    There isn't an explicit length limit, but I believe it's effectively either 72 or 80 bytes (beyond that it won't generally be used).
    adwade likes this.
  3. adwade

    adwade Active Member

    Thanxx, about the only other thing I could turn up on it said:
    So out of curiosity, I went and read part of the LastPass manual which said:
    So what does XenForo use?(SHA-1, SHA-??, SHA-256)
  4. Jeremy

    Jeremy Well-Known Member

    XenForo doesn't use SHA. It uses bcrypt. Mike's response is what you should be looking at.
    adwade likes this.
  5. adwade

    adwade Active Member

    Agreed, as 'now' I understand you-all are talking apples, while I was quoting oranges. ;)

Share This Page