Work out what needs to happen due to core using PHP's password_hash()

Created on 4 April 2023, about 1 year ago

In 📌 Replace custom password hashing library with PHP password_hash() Fixed we're moving core to use the core builtin PHP functions (yay and thank you @neclimdul and @znerol). This issue has been created to discuss how to adapt the module once 📌 Replace custom password hashing library with PHP password_hash() Fixed lands

This will affect the module in a few ways:

Support for older passwords should be provided by the new core phpass module.
People on 8.x-1.x could simple disable the module - I guess there might be something about setting the cost to the same value.
2.0.x - only at alpha - I think this should wait till the core patch lands. Because then this version of the module could be only about using argon and core could provide the bcrypt (current default) and phpass should supply the legacy support.
Currently this module in both versions will trigger deprecations due to how it instantiates \Drupal\Core\Password\PhpassHashedPassword. I think this is okay for 8.x-1.x as that version become moot once the core change lands. I think 2.0.x should be update as per 3 to address this.

📌 Task

Status

Active

Version

2.0

Component

Code

Created by

🇬🇧United Kingdom alexpott 🇪🇺🌍

Live updates comments and jobs are added and updated live.

Comments & Activities

Production build 0.69.0 2024