XF 1.5 passwordIterations setting

[adwade]

• $config['passwordIterations'] - default: 10 
The strength of the bcrypt-based password storage system. Higher numbers are more secure but each increase will roughly double the amount of time it takes to generate or validate a password, leading to higher server usage.​

Can someone explain a little more about this setting? If 10 is good, is 12 better? If so, is 15 too much?

Also, what is the Maximum Password Length in XenForo? I can't seem to turn up any info on that, other than this (older) thread: How do I increase the password input size in signup form?

 

[Mike]

If you increase the iterations, it will take longer to verify a login. Setting it too high will create a potential DoS vector. However, if the password hashes ever got leaked, it would make it more difficult to brute force. It's really up to you how you want to trade it off, but 10-12 is probably within a reasonable range. 15 is probably too high.

There isn't an explicit length limit, but I believe it's effectively either 72 or 80 bytes (beyond that it won't generally be used).

 

[adwade]

Thanxx, about the only other thing I could turn up on it said:

LASTPASS: Increase Password Iterations
You can also increase the Password Iterations (PBKDF2) value. Essentially, the more iterations you use, the longer it will take to check if any password is the correct one. A larger value will make the login process take longer (especially on slower platforms, such as older versions of Internet Explorer and mobile browsers), but brute-force attempts at cracking your password password will also be slowed. LastPass recommends you use 500 password iterations and not exceed 1000. (Source How-to-Geek)

So out of curiosity, I went and read part of the LastPass manual which said:

5000 rounds provides a good balance between increased security and the inconvenience of longer pauses when logging in to your account. While it’s tempting to point to the number of rounds when comparing implementations of PBKDF2 across services, this is essentially an apples to oranges comparison, as other services may be using SHA-1, which is less computationally intense than SHA-256. In other words, SHA-256 is a more intensive process than SHA-1, so a lower number of rounds can still be a higher level of security against brute-force attacks.(Source User Manual)

So what does XenForo use?(SHA-1, SHA-??, SHA-256)

 

[Jeremy]

XenForo doesn't use SHA. It uses bcrypt. Mike's response is what you should be looking at.

 

[adwade]

Agreed, as 'now' I understand you-all are talking apples, while I was quoting oranges.