What is being done about XF's salting algorithms? I read that you support multiple algorithms but what about the default one?
vBulletin use the salt but they use it in a way which renders this salt completely useless. Everyone knows vBulletin's algorithm, the salt is stored in a very subtle *cough* database named "salt" which makes this salt useless. The salt, the password hash and the algorithm mean that this salt isn't doing its role.
I think that the salt should be a unique string that is generated on every unique download (so that everyone's software has a different salt) and I feel that this salt should be stored in the filesystem and not the database.
Yes, it makes your passwords less secure in the sense that one-salt-fits all, but at least if your database is dumped your user passwords are still secure!
vBulletin use the salt but they use it in a way which renders this salt completely useless. Everyone knows vBulletin's algorithm, the salt is stored in a very subtle *cough* database named "salt" which makes this salt useless. The salt, the password hash and the algorithm mean that this salt isn't doing its role.
I think that the salt should be a unique string that is generated on every unique download (so that everyone's software has a different salt) and I feel that this salt should be stored in the filesystem and not the database.
Yes, it makes your passwords less secure in the sense that one-salt-fits all, but at least if your database is dumped your user passwords are still secure!