The password is saved in the database as md5(md5(password) . salt), so it already includes salt (or maybe you mean something different). The place that creates the hash is in includes/class_dm_user.php, function hash_password(), and the main place that checks it is in includes/functions_login.php, function verify_authentication(). But if you were going to change it to sha2 I think there are other places that would need to be changed as well (searching all code for md5(md5( is probably a good start).
|