Password hash storage and alghoritms

[GwynBleidD]

Now password hashing in IPB 4 is done much better than in old versions, but not perfect.

First of all: all password hashing alghoritms sooner or later will become insecure and replaced with modern one (good example: md5), even alghoritms with iteration count will need to increase value of iterations after period of time (half of year?).

Secondly: some forum admins would like to use other hashing method for better fit with third party apps that can't use alghoritm that is built into IPB. For example PBKDF4-SHA256.

For better support of different hashing alghoritms and better upgradability, I would recommend password system from Django framework

In short words: give site administrator ability to specify multiple hashers, in prefered order. Each hasher will have it's own unique identificator and it will be set in database with salt, password hash and other parameters.

All of it can be set in one field of database in example format: hasher$iterations_or_other_parameters$hash$salt. Now, when creating new user or changing it password, first password hasher will be used (with most priority). When system gets user from database for log in, will decide which hasher should check password depending on hasher id (first parameter) and will send rest of informations into it, but additionally: if password hasher for user is not first one, it will be updated (we have now plaintext password sent from user, so we can generate other hash from it). Also it will be updated if iteration count for that particular password is less than current iteration count for selected hasher. That way we can upgrade or change hashing alghoritm in any time.

Also on conversion from old IPB forum, we can create temporary hash by hashing old md5 hash with modern hash alghoritm, so it will be secure, but when user logs in, whole hash will be converted into modern hash alghoritm for better compatibility.