• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.3 passwords

Mike

XenForo developer
Staff member
#4
Well the passwords are there, but they're one-way hashed. If your DB has been compromised, you need to assume the passwords have too.
 

DRaver

Active member
#5
Ups, I always thought the passwords would be encrypted in XF and not only hashed.

What can the thief do with the hash? Make a brute force to find the real pw or use a tool for that?
 

duderuud

Active member
#6
Afaik the method of encrypting hasn't been comprimized yet. So you should be relatively safe. But remember, if they can't be hacked today, maybe they can tomorrow...
 

Mike

XenForo developer
Staff member
#7
Encryption means it can be reversed (with the correct key). Hashing means it can't. You never want to encrypt a password.

But yes, they can attempt to brute force a password. Since 1.2 (new users since then or anyone who logged in with a password since them), we use bcrypt which makes this harder/slower, but it's still possible. To be safe, you need to assume that passwords have been compromised.
 

Mike

XenForo developer
Staff member
#9
There are no bulk password management tools built in. You would need to ask/tell people to update their passwords.
 

DRaver

Active member
#12
Another question @Mike .

I add a user in XF and and create a password. In the database I see the pw hash.
If I copy this hash in the database to another user, then both have the same password.

Is this a bug? I want to give no instructions for hacking. Is this too critical, then delete the thread simply and reply privately to me.
 

Mike

XenForo developer
Staff member
#13
What you're suggesting would really provide no benefit.

If someone (untrusted) has database access, all is lost. If they can write to it, the entire integrity of it is compromised.