Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
As we realized during our meeting there is an issue with the way passwords were generated in D7 Protected Node. This appreach was different as the new one in Entity Access Password. It seems necessary that the passwords which were set in D7 still work in D9
Proposed resolution
- Use the same password generation like in D7
- Find a way to migrate the passwords (like the user passwords)
Maybe the problem could be mitigated if we introduce the new password generation method as third password hashing option in D7 so we have time to reset the passwords already in D7
Issue fork protected_node-3260323
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
grimreaperComment #3
grimreaperHere are my tests results.
I have mounted a fresh and up-to-date Drupal 7 locally.
I have entered the password "bbb" for a user and for a node on both D7 and D9:
Protected node:
D7 bbb 3e744b9dc39389baf0c5a0660589b8402f3dbb49b89b3e75f2c9355852a3c677
D9 bbb $S$EpdBfSkmJ/kE50zOPmJTW8dNp3hsbGeKjCNNOFivo.JPL9GwN3Lx
Users:
D7 bbb $S$DuU.ufhmRZIze.ZFkBW3KD77QQ90NC4SUqmRY5SAHmXfL8lcEgG1
D9 bbb $S$EaQzYInBgo43Q81HDX8VGJuWEY6xv4UTk8FVWBwQjpLcPI.4PxXL
So in D7 no really possible to use the existing passwords as it for D9.
But I have taken the password hashed of the D7 user and put it into a D9 field value of the password field and it works!
I still don't quite understand how with some random parts in the password hashing process, so with the same password hashed differently!, and that when entering it in all the cases it is ok.
It is way more secure because with Protected Node D7 hashing mecanism, the password gives the same hash constantly so if someone crack it, it is possible to guess stuff.
So I guess we will patch D7 version to change the hashing mecanism to same as D7 for users.
Comment #4
grimreaperPatch incoming.
Comment #6
grimreaper@meyerrob done :)
Please test the MR changes.
I have made some quick tests but as CI is broken with D7 I can't trust the test suite.
Comment #7
meyerrob commentedWe reviewed the code and it seems correct. Can you merge the code and release a new dev-release?
Comment #9
grimreaperThanks for the feedback!
Merged.
I will make a new proper release when getting confirmation that it is ok for you on your website.
Comment #10
meyerrob commentedI tested the dev release and it worked as expected:
I suggest a new stable release after the D9-migration of the passwords proves that this approach is a valid solution
Comment #11
grimreaperThanks for the feedbacks.
New release done.