One of the message boards I frequent got hacked, and because they're idiots, it sent them into a panic. One of the comments made by a rational poster there, pointed out that the salt used by vB is weak as cricket pee pee. I don't know what Xenforo uses, but I thought, in light of that event, and reading this article, that it might be a good idea to review the security used by WF and give it a tweaking, if it needs it. Now, if you'll excuse me, I have to finish going around and changing all my passwords, just in case mine was one of the ones that got captured. (Not that I use it anywhere else, but better safe than sorry, know what I mean?)
That was an interesting article. My own password would have made it through several rounds, but eventually they would have got it toward the end. Of course, the first trick is in obtaining the list from the database. Just some quick googling turned up a fair amount of statements that xenforo security is very strong. I suppose people can claim whatever they want, but what I did not find was much in the way of Statements bashing the security, so it is likely fairly strong. Ultimately, the greatest security lies in not being an obvious target.
Xenforo uses a double salted hash based on SHA1. That's a step up from single salted MD5, but not by much. MD5 is a 128bit string, while SHA1 is a 160bit string. The double salted hash adds an extra layer of protection. According to XF's guide, we can use SHA256, but it has to be added to the PHP configuration. It depends on how tightly secure you want things. So I'd say XF's security is above standard, though it's been said that SHA1 has flaws of its own. To be honest, they all do, somewhere, so YMMV.
I can't post a link to the transcript (as it hasn't been posted yet), but the latest episode of Security Now has lots of good information about improving site security. One idea they mention, which seems like it might be easy to do, is to create dummy accounts with easy to crack passwords and have the system set up to alert Admins if anyone attempts to log in using those accounts, since if they're being used, that means there's been a serious breach of board security.