Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
In #1845004: Replace custom password hashing library with PHP password_hash() we're moving core to use the core builtin PHP functions (yay and thank you @neclimdul and @znerol). This issue has been created to discuss how to adapt the module once #1845004: Replace custom password hashing library with PHP password_hash() lands
This will affect the module in a few ways:
- Support for older passwords should be provided by the new core phpass module.
- People on 8.x-1.x could simple disable the module - I guess there might be something about setting the cost to the same value.
- 2.0.x - only at alpha - I think this should wait till the core patch lands. Because then this version of the module could be only about using argon and core could provide the bcrypt (current default) and phpass should supply the legacy support.
- Currently this module in both versions will trigger deprecations due to how it instantiates \Drupal\Core\Password\PhpassHashedPassword. I think this is okay for 8.x-1.x as that version become moot once the core change lands. I think 2.0.x should be update as per 3 to address this.
Comments