Currently MyBB uses a salted md5 hash very weak password hashing compared to what we have today. Ideally MyBB 1.10 would switch to Argon2 Password Hashing although only new versions of Linux with libargon and php 7.2 support that so I would recommend giving users an option when installing / upgrading to MyBB 1.10 to choose from a few options Salted-MD5 (Compatibility Mode!), Bcrypt (Recommended!), and Argon2 (Advanced - Most Secure - Compatibility Issues May Occur!). It would keep security more flexible while still allowing forum owners full control over the security of their forum. Yes know there are plugins but native support would be awesome
(2017-12-04, 01:33 PM)Lunorian Wrote: [ -> ]Currently MyBB uses a salted md5 hash very weak password hashing compared to what we have today.
Currently, MyBB runs an archaic base.
As I'm sure you're aware, the aim with 1.10 is to bring it up to date, gradually. This would be a good starting point, and should use the inbuilt hashing tools in Laravel; bcrypt.
But as has been said, this has been discussed.
I don't think md5 should be an option on fresh installations, ideally people should be pushed towards bcrypt instead. For upgrades, password hashes could be flipped to a stronger algorithm whenever someone logs in / resets their passwords, so you don't really need to make everything md5, just backwards compatibility for those older accounts.