@Pompompurin The encryption is ontop of Argon2id and the key is stored as an environment variable on the server or in a file. If any of your plugins have an SQLI Injection vulnerability the attackers will not even have the chance to reverse the hashing on any of the passwords and the speed difference is minimal, maybe I worded that part weirdly originally, but I highly recommend you consider it.

https://github.com/dvz/mybb-dvzHash#encryption

Everything else is cool.

(March 28, 2022, 07:42 PM)way2high Wrote: @Pompompurin The encryption is ontop of Argon2id and the key is stored as an environment variable on the server or in a file. If any of your plugins have an SQLI Injection vulnerability the attackers will not even have the chance to reverse the hashing on any of the passwords and the speed difference is minimal, maybe I worded that part weirdly originally, but I highly recommend you consider it.

https://github.com/dvz/mybb-dvzHash#encryption

Everything else is cool.

Already use argon2id, adding extra stuff (encryption on top of an already good Password hashing algo) adds a lot of overhead and more things that could go wrong

Closing this thread and moving to Accepted, I think I did most of your suggestions.