This project is not covered by Drupal’s security advisory policy.

This module backports the pluggable and secure hashing from Drupal 7 to use with Drupal 6.

But wait you say! How is this module different from the Secure Password Hashes (phpass) you ask? There are a few major functional and architectural differences between these two projects:

  • It includes the default file used in Drupal 7. This file can also be easily swapped out using $conf['password_inc']. As such the module is designed to make porting your site to Drupal 7 easier.
  • The module can be disabled at any time without any side effects. To disable the Secure Password Hashes module without requiring all users to request new passwords, you have to first disable the secure hashes, and then all users have to login at least once.
  • The module doesn't actually remove the md5 hashes from the database.
  • Because the module provides a pluggable, it can also be used for painless user logins when migrating to Drupal from another CMS which hashes its passwords not using simple MD5().

New 2.x branch

The 2.x branch of Password module will no longer keep MD5 password hashes in the {users} table. The module now stores the secure hashes directly in {users}.pass using the same secure hashing method used in Drupal 7.

The upgrade path for this may not quite work properly, so make backups and use at your own risk until 6.x-2.0 officially is released.

Please also help review any remaining core issues about

I'm also debating back-porting the improvements to login flood protection.

Development was sponsored by

Project information