How the users passwords ar encrypted at database?


Where can i found the description of how the users passwords are encrypted at databes (MariaDB)?
I looked at security page and admin docs and found anything :frowning:



I can’t provide detailed information, because I don’t know in detail. Nonetheless the passwords are saved in DB in the table oc_users. I came to think that the password is salted with the salt stored in $NCROOT/config/config.php but reading the manual of PHP it seems, that is no longer the case since PHP 7.0.

Maybe @LukasReschke can give further details here. Could you explain please if and how the password is salted in NC13?
What I can see so far is, that there is no salt in the oc_users table what I read as good practice - having one salt for each user’s password stored in table together with the password itself.

However, for the password storage the PHP function password_hash is used:

From the PHP code I can see that this function is called with PASSWORD_DEFAULT and an “options” variable which contains the hashing cost (don’t understand the meaning here exactly). I believe it means how often the password will be hashed … maybe depending on the performance of the server more or less often. The manual says something about 10 times is default.
I can’t figure out if this options variable contains something more than the hashing cost though.

1 Like

@LukasReschke Hello. Can i get more information about it? :slight_smile:

1 Like

This question is quite old now but i was also interested in the answer so i looked it up in the code. Like @Schmu said, NC uses the password_hash function to hash the user passwords.

public function hash(string $message): string {
	if (\defined('PASSWORD_ARGON2I')) {
		return 2 . '|' . password_hash($message, PASSWORD_ARGON2I, $this->options);
	} else {
		return 1 . '|' . password_hash($message, PASSWORD_BCRYPT, $this->options);

Like you see, there are two supported algorithms. The used algorithm depends on your PHP environment. If your environment supports the Argon2i algorithm, this one will be used (see, i think this is possible since NC14). Otherwise the BCrypt algorithm is used as fallback. Both of them are used with a randomly generated salt like it’s recommended by the PHP documentation.

Like @Schmu mentioned you can have a look at the oc_users table where the password hashes are stored. If you see hashed starting with ‘2|…’ your NC instance uses the Argon2i, the ‘1|…’ are BCrypt hashes.

One last sentence to the hashing cost: this is a parameter you can define in you config.php ( The default cost is 10. It controls how much time the algorithm needs to generate and verify the password hashed. You can read more about this here