Website Password Security and PHPBB3

Question

Normally password security works like the following, right?:

1. Browser hashes password (protecting original password from snoopers)
2. Browser sends hashed password to site
3. Site salts password (to protect from rainbow tables) and stores it
4. Site does not retain any data other than salted password hash

How does this compare to phpbb3 security. Because I have a support person telling me everything is just in plaintext. Which seems impossible in this day and age. https://www.phpbb.com/community/viewtopic.php?f=71&t=2190592

Answer 1

The hashing occurs on the server side. PHPBB does NOT store a plaintext password. The web browser sends the password as plaintext and PHPBB uses the Portable PHP password hashing algorithm which is described in this question.

If you are concerned about sniffing the plaintext password that the browser transmits, you will need to host your forum on an SSL protected domain. Then the browser will transmit data securely to your server and the same process to log in will occur.