[biot]

The Envato post says the passwords will be individually hashed and salted. The aMember forum has a few more details:

4.1.3 release: http://www.amember.com/forum/threads/amember-pro-version-4-1... states "Removed user.pass variable from email templates. Plain text password in not available anymore."

4.1.6 release: http://www.amember.com/forum/threads/amember-pro-version-4-1... states "Closes #448 - and do not save md5 passwords at all".

User issue: http://www.amember.com/forum/threads/urgent-amember-v4-1-12-... "Unfortunately, in the email received by customers, the password comes out encrypted like $P$BkTNDykCkTfsOqHwsV4TT2/"

The hash format indicates it's using PHPass: http://cvsweb.openwall.com/cgi/cvsweb.cgi/projects/phpass/Pa... which is based on MD5, but with the log of the number of rounds indicated by the first character after the $P$ prefix. In the forum example, it's "B" which is 11 making it 2^11 rounds. The remainder is an 8 character salt plus checksum. PHPass is authored by "Solar Designer" or Alexander Peslyak, also the author of John the Ripper and respected in the security community: http://en.wikipedia.org/wiki/Alexander_Peslyak so is likely pretty solid.

[tptacek]

Solar Designer is great. Here's what his PHPass page says:

The preferred (most secure) hashing method supported by phpass is the OpenBSD-style Blowfish-based bcrypt, also supported with our public domain crypt_blowfish package (for C applications), and known in PHP as CRYPT_BLOWFISH, with a fallback to BSDI-style extended DES-based hashes, known in PHP as CRYPT_EXT_DES, and a last resort fallback to MD5-based salted and variable iteration count password hashes implemented in phpass itself (also referred to as portable hashes).

To ensure that the fallbacks will never occur, PHP 5.3.0+ or the Suhosin patch may be used. PHP 5.3.0+ and Suhosin integrate crypt_blowfish into the PHP interpreter such that bcrypt is available for use by PHP scripts even if the host system lacks support for it.