Hello,

With the 4.x version, password are stored in database but also the salt is stored.
Why stored the hash ? (Extract from : http://php.net/manual/en/function.password-hash.php The used algorithm, cost and salt are returned as part of the hash)

Also, is the cost generate depending the server ? or by default, is it set to 13 ?

Thanks,

Benjamin

We actually use crypt() rather than password_hash() as only recently started requiring a PHP version which includes that function (although the algorithm being used is the same) which necessitates the salt being stored separately. Now that our minimum PHP requirements have increased, I imagine we will switch over in a future version. 

The cost is set to 13.

Thanks for these elements.
Even if it's not the priority, it should be on your todo list yep

 

@Mark is there a topic that discusses the new way that you guys store passwords on ipb 4? So i can copy and paste that information into a topic to tell my members that they are more safe from having their passwords uncracked if it ever happened to my board.

Not as such. We use Blowfish hashing which is a standard technique. It is salted (so rainbow tables cannot be used) and deliberately slow (to limit the effectiveness of bruteforcing).