Custom password hash functions (per user)

If you want to import users from another database, it can be a pain to get the passwords working, because you don't have them available as plaintext. Even worse if you import users from two different projects that use different password hashing.

Now, update is easy and does not require the plaintext password, but it can leave you in a state where you can't use the built-in password hashing, or where different users need different hash functions.

The idea is, that we store with each user:
- which hash function was used (if not the default). This can be a keyword, the function name, whatever.
- a random user salt.
- the hashed password, salted with user salt and possibly a system salt defined in settings.php. This depends on the choice of hash function.

Each time the user changes the pw, the salt gets a new random value, and the "hash function" is reset to something default, like "sha256($system_salt . $user_salt . $pass)". The available hash functions and system salt could be configured in settings.php.

As we will never search or sort by the password hash or salt, I think it would be wise to put it all in a serialized string, instead of separate DB columns.

I would much prefer to see this in core, rather than a custom module. It would be too easy to break user logins just by disabling the module. Or, the module could be abandoned.. And, modules have to hook in the user login form, while a core solution only needs to modify the password hashing.

Related issues:
- #29706: More secure password hashing →
- #493984: Passwords should be salted →

Related modules:
- phpass, which uses blowfish/bcrypt for key strengthening. This seems like a very useful thing, and it would fit quite well in my proposed solution.

Attached you find an example implementation.