[kh99]

I'm not any kind of expert in password hashing or security, so someone please correct me if I'm wrong, but: I think it may be relevant because my understanding is that the user tables were taken, and some passwords obtained by some kind of guessing (brute force, dictionary, or whatever you call it). This is possible because the md5 algorithm is pretty fast, so a lot of guesses can be made quickly. And if that's true then I understand that crypt() with blowfish is better than just replacing md5() with a call to hash('sha256'...) because blowfish was designed to be slow to make guessing harder.

(Edit: It is true that the hashing algorithm wasn't the cause of the original security breach, maybe that's what squidsk meant).

I think it might be possible to do it using plugins today (things were different when Paul wrote the above comment), but I'm not sure if that's the best way to do it because if you have a need to disable all plugins (or some curious or careless admin disables the product), no one would be able to log in. As for dealing with the browser side of things, I think if you made the algorithm blowfish(md5(password)) then you could leave the browser side of things the same. And if you used blowfish(md5(md5(password).salt)) (where salt is the existing vb salt column) then I think you could also convert the existing passwords instead of making everyone pick a new one. That wouldn't help the OP who wanted to transfer passwords from a different database, but if your concern is security in case the db is stolen then it wouldn't matter. (BTW, "blowfish" isn't a php function, but you get the idea).

In any case, there is a mod that exists here: www.vbulletin.org/forum/showthread.php?t=288450 (which I haven't actually tried). I've been thinking of making one myself because I have a few other features/options I'd like to add (like converting of existing password as I mentioned above).