Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
This module will swap the password hashing mechanism used in Drupal (based on Phpass) to use the newer password_hash() function and its companions.
Note that, for the Drupal 7 version, PHP 5.5 is required. Minimum requirement for Drupal 7 is PHP 5.2, so please make sure your server is running PHP 5.5 or later.
Doesn't Drupal core hash passwords already?
Yes it does. Drupal uses hash() function with sha512 algorithm with 15 iterations to hash passwords.
Why should I use this module if core already has password hashing?
Using an SHA512 hashes with multiple iterations is reasonably secure given that it uses a random salt with a good CSPRNG. However, SHA512 is still a message digest algorithm, and even consumer level hardware can calculate them fast.
PHP 5.5 introduced password_hash() function, taking away the burden of generating the hash with standard security, implicitly encouraging everyone to use it.
If you have a sever running PHP 5.5 or later, you can install this module to use this new implementation.
- Bcrypt Blowfish encryption (or Argon2i) vs the core's SHA512.
- Timing-attack safety.
- Portability: If you share the database with other non-Drupal systems, they can use the Drupal password. If you want to import/sync the user password hash with other non-Drupal systems, you can easily do so as long as all systems use
password_hash(). Importing databases should be a breeze!
What happens to existing passwords?
They will continue to work, and passwords will be rehashed on the immediate next successful login. This is completely transparent.
Uninstalling the module
Note that, when uninstalling the module, the database can contain hashes generated with this modules implementation. Drupal core will not be able to recalculate the exact same hash, so all affected logins will not work. The passwords are still secure, but a user password reset will be necessary.
Why is the .module file empty
The module still works. When installing, the module overrides the password backend, and restores when disabling. There is simply no need to implement any other hooks.
PHP 5.5 or later only
password_hash() was introduced in PHP 5.5. Version 5.5 itself is a few years old, so the best recourse would be to upgrade your server. There are some to this, but this module focuses on simply swapping the backends - not implementing them.
User interface
There is no user interface. Install the module to swap the Drupal core hashing implementation with this modules own. Uninstall to revert.
Drupal 8 version?
Is coming soon.
PHP 7.2 / Argon2
If your site is running on PHP 7.2, this module can use the PHP 7.2-provided Argon2i password hashing algorithm. The existing Bcrypt is still secure though. Refer to the module documentation to enable Argon2i support. This transition too would be transparent and existing hashes will be rehashed on users next successful login.
How do I know if it's enabled and working?
Simply go to the status page of your site, and you will see something like this:
Project information
- Project categories: Developer tools, Security, Access control
5 sites report using this module- Created by ayesh on , updated
Stable releases for this project are covered by the security advisory policy.
There are currently no supported stable releases.
