XF 1.5 XenForo 1.2+ Password Encryption

Robust

Well-known member
Hey,

Trying to port some data over from XenForo into a custom Rails app.

Looks like after XF1.2, XF stopped using sha256(sha256(password) . salt) and started using phpass (0.3), slightly modified. Many versions of this were released, a couple got ported to Ruby, but it's a slight hit and miss.

The hashes generated look a bit like this:
Code:
a:1:{s:4:"hash";s:60:"$2a$10$Q6[...]";}

That's the identifier for bcrypt I think ($2a$10, bcrypt ($2a), cost factor 10 ($10). Just confirming this hash is actually bcrypt, since I have no clue on password hashing and whatnot, Been scratching my head with this for a while. It's not explicitly mentioned in the script, so I'm guessing there was no bcrypt function when the script was written.
 
Top Bottom