- The current password hashing library is a custom fork of phpass.
- It has to be maintained by Drupal. Drupal should not be in the business of developing/maintaining a password hashing library.
- The hashing algorithm is 100% custom. 0% interoperability.
- The next time we upgrade our hash algorithm or iterations count, we have to deal with it all over again. PHP's password_hash() has forward-upgrading built in to its design
- Replace the custom password hashing library with PHP 5.5's
- Keep the existing hashing mechanism to validate passwords migrated from Drupal 6, 7 or rehash passwords from Drupal < 8.3.0. Note that we need to keep this service up until Drupal 10 in order to be able to validate passwords migrated from Drupal < 8.3.0.
Drupal\Core\Password\*is replaced by
Data model changes
Passwords are stored now as password_hash() hashes.
Original report by @cweagans
Rob Loach mentioned in http://drupal.org/node/1463624#comment-6750938 that there was a third party library that provides PHPass functionality. Let's look into adopting it as a replacement to our library.