=== modified file 'includes/password.inc'
--- includes/password.inc	2010-05-04 15:47:03 +0000
+++ includes/password.inc	2010-12-07 11:50:22 +0000
@@ -99,17 +99,21 @@ function _password_base64_encode($input,
  */
 function _password_generate_salt($count_log2) {
   $output = '$S$';
-  // Minimum log2 iterations is DRUPAL_MIN_HASH_COUNT.
-  $count_log2 = max($count_log2, DRUPAL_MIN_HASH_COUNT);
-  // Maximum log2 iterations is DRUPAL_MAX_HASH_COUNT.
   // We encode the final log2 iteration count in base 64.
   $itoa64 = _password_itoa64();
-  $output .= $itoa64[min($count_log2, DRUPAL_MAX_HASH_COUNT)];
+  $output .= $itoa64[_password_enforce_boundaries($count_log2)];
   // 6 bytes is the standard salt for a portable phpass hash.
   $output .= _password_base64_encode(drupal_random_bytes(6), 6);
   return $output;
 }
 
+function _password_enforce_boundaries($count_log2) {
+  // Minimum log2 iterations is DRUPAL_MIN_HASH_COUNT.
+  $count_log2 = max($count_log2, DRUPAL_MIN_HASH_COUNT);
+  // Maximum log2 iterations is DRUPAL_MIN_HASH_COUNT.
+  return min($count_log2, DRUPAL_MAX_HASH_COUNT);
+}
+
 /**
  * Hash a password using a secure stretched hash.
  *
@@ -262,6 +266,6 @@ function user_needs_new_hash($account) {
     return TRUE;
   }
   // Check whether the iteration count used differs from the standard number.
-  return (_password_get_count_log2($account->pass) != variable_get('password_count_log2', DRUPAL_HASH_COUNT));
+  return (_password_get_count_log2($account->pass) != _password_enforce_boundaries(variable_get('password_count_log2', DRUPAL_HASH_COUNT)));
 }