the new password branch in svn uses 2 salts to hash the password with and then the final password +2salts is hashed using sha256.
it's basicly (broken down)
$pass_plain = 'plaintext_password';
$pass_salt = $userSalt.md5($pass_plain).$mainSalt;
$final_hash = sha256($pass_salt);
that's a very basic description.
each of the salts is 64 characters long they are added to the pass_plain which is md5 before adding the salts.
then sha256 the result.
basicly sha256 is now hashing a 160 character password.
i don't think that can easily be bruteforced or decrypted. lol
This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=1217&post_id=11281