No announcement yet.

Password Structure

  • Filter
  • Time
  • Show
Clear All
new posts

  • Password Structure


    We were running an old v3 forum and linked this to our in house systems so we could sync the users password across our system and the forum.

    Since upgrading to v5.6.4 this has stopped working.
    When we log in we get an SQL error advising salt & password don't exist in the users table.

    Are there any details on how users passwords are now generated and is there anyway way this can be copied to another application so the credentials are the same.


  • #2
    There is an article on this -

    vBulletin 5.6.X will use either Bcrypt or Argon2id depending on your server configuration. Argon2id is generally considered more secure than Bcrypt. There is no password field because we never store a password in the database. vBulletin 5 doesn't actually generate salts either. Doing this is considered insecure today. Instead the password_hash function of PHP will create a SALT every time it creates a new hash. No two hashes from the same user should use the same salt.

    The password hash, salt, and method of hashing are stored in the token field within the user table.

    To facilitate logins from vBulletin 3 and 4 users after an upgrade, there is also a Legacy password scheme. This is used to match the password on the md5(md5(password)+salt) scheme that these systems used with the user's first login. The password that was sent will then be re-hashed as one of the secure methods supported. MD5 should not be considered completely secure in 2020. We recommend against using the Legacy scheme permanently in a live environment.

    You can see the code for vBulletin Password hashing by downloading the Non-PHAR version of the software and looking at the files in /core/vb/utility/password. However, we simply use the password_hash() and password_verify() functions in PHP.

    You can edit the order which Password Schemes are used by editing /core/includes/xml/pwschemes_vbulletin.xml. You can add your own password scheme by creating a custom pwschemes_XXXXX.xml file and placing it in the same directory.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API


    Related Topics