Problem/Motivation

Backport of #3530186: Switch to argon2 as the default password hashing algorithm

Steps to reproduce

Proposed resolution

Changes from #3530186: Switch to argon2 as the default password hashing algorithm

  • Default algorithm is null - i.e., the PHP default which currently is bcrypt.
  • Display an info-level requirement if the algorithm currently in use is bcrypt, indicate that this is changing in Drupal 12.
  • Point to a different change record with instructions suitable for Drupal 11.4

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Issue fork drupal-3581966

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

znerol created an issue. See original summary.

benjifisher’s picture

Issue summary: View changes

I think we should mention this in a change record, so I added an item to the "Remaining tasks".

@znerol, thanks for making two commits (first one a cherry-pick). That makes it easier to review. I do not have time now to figure out the changes in the tests. Lunch break is over, so I have to get back to my day job.

znerol’s picture

Issue summary: View changes
Status: Active » Needs review

Added a separate change record.

znerol’s picture

Issue summary: View changes
smustgrave’s picture

Status: Needs review » Reviewed & tested by the community

Started a new pipeline a few times but it's all green so believe a good backport.

benjifisher’s picture

I said,

I do not have time now to figure out the changes in the tests.

I see now: we always want to test both bcrypt and argon2. In both branches, PasswordRequirementsDefaultTest.php handles one of them. In the main branch, we add PasswordRequirementsBcryptTest to handle the other, and in 11.x we add PasswordRequirementsArgon2idTest.

I have just one question on the MR. Back to NW for that.

benjifisher’s picture

Status: Reviewed & tested by the community » Needs work
znerol’s picture

Status: Needs work » Needs review
benjifisher’s picture

Status: Needs review » Reviewed & tested by the community
longwave’s picture

Status: Reviewed & tested by the community » Fixed

Committed and pushed 38187dd05c3 to 11.x. Thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

  • longwave committed 38187dd0 on 11.x
    feat: #3581966 [11.x] Introduce kernel parameters for password hashing...

smustgrave’s picture

Status: Reviewed & tested by the community » Needs review
smustgrave’s picture

Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

gábor hojtsy’s picture

gábor hojtsy’s picture

@znerol at all, would this statement be true?

Drupal 12 will default to argon2id, but your site can already start to adopt it. If you update the setting, users' passwords will be rehashed on their next login.

Especially the last sentence! Is this a true statement?

znerol’s picture

Yes.