The forum's hashes, while not uncrackable given weak passwords, are far stronger than those used by almost every other site.
I guess I'd agree with that. I think that one extra step of security would be to have implemented a custom salt for every users password which would increase the difficulty of increasing the passwords.
Also, from StackOverflow:
Quote
Bcrypt really shines for online attacks, if you have set the work factor properly, because even if I get the hash, meant to say if the 'adversary' gets the hash, the work factor makes it really painful to go through an entire dictionary, taking multiple days and if the password isn't in the dictionary, then I'm really in trouble cause a brute force attack will be epic, the password bit space for bcrypt is quite large though finite 
Sha256 may be taking a bit of time now, but eventually computers will get faster and faster and it'll be fairly easy for attacks, the unix guys thought crypt was so slow it would have never being an issue, and today I have done an online attack in seconds, offline attack in days, a brute force attack (going through the entire password bit space) in weeks ...
Sha256 may be taking a bit of time now, but eventually computers will get faster and faster and it'll be fairly easy for attacks, the unix guys thought crypt was so slow it would have never being an issue, and today I have done an online attack in seconds, offline attack in days, a brute force attack (going through the entire password bit space) in weeks ...
Quote from: theymos
The forum uses sha256crypt with rounds=7500
Not all of the passwords in the database leak had that encryption :p
At the end of the day, you could implement the strongest algorithm but if users are stupid enough to use their password more than once and even worse, on a site that stores passwords with in plaintext or in a weak algorithm like message digest 5 (MD5), they deserve to be hacked. Like honestly how hard is it to use a different password by even changing 1-2 parts of your password.