What hashing algorithm is used in discourse for hashing passwords?

Mohit_Gupta · August 18, 2015, 6:41am

what hashing algorithm is used in discourse for hashing passwords?

sam · August 18, 2015, 6:43am

PBKDF2, see:

docs/SECURITY.md

9ce660386

## Discourse Security

We take security very seriously at Discourse. We welcome any peer review of our 100% open source code to ensure nobody's Discourse forum is ever compromised or hacked.

### Where should I report security issues?

In order to give the community time to respond and upgrade we strongly urge you report all security issues privately. Please email us at `team@discourse.org` with details and we will respond ASAP. Security issues *always* take precedence over bug fixes and feature work. We can and do mark releases as "urgent" if they contain serious security fixes.

### Password Storage

Discourse uses the PBKDF2 algorithm to encrypt salted passwords. This algorithm is blessed by NIST. Security experts on the web [tend to agree that PBKDF2 is a secure choice](http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage).

**options you can customise in your production.rb file**

- `pbkdf2_algorithm`: the hashing algorithm used (default "sha256")
- `pbkdf2_iterations`: the number of iterations to run (default 64000)

### XSS

The main vector for [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks is via the post composer, as we allow users to enter Markdown, HTML (a safe subset thereof), and BBCode to format posts.

This file has been truncated. show original

gaurav18 · April 17, 2018, 2:31am

How can I get the hash key?
Is salt the hash key?

JammyDodger · June 8, 2024, 12:37pm

This topic was automatically closed after 3217 days. New replies are no longer allowed.

Topic		Replies	Views
Using Discourse as an account provider and PBKDF2 problems Dev	10	556	January 6, 2024
Password hash algorithm Dev	9	1732	May 14, 2021
Export password hashes in the PHC format Self-Hosting how-to	8	4445	January 7, 2021
Adding SSO after many users already signed up -- how to migrate them? SSO	17	1473	September 11, 2022
Is there a way to manually locate user's passwords? Support	23	5120	October 19, 2021

What hashing algorithm is used in discourse for hashing passwords?

Related topics