Change record status: 
Project: 
Introduced in branch: 
11.4.x
Introduced in version: 
11.4.0
Description: 

The password hashing algorithm and options can be changed using kernel parameters. These parameters are passed to password_hash() whenever a password is created or changed. The algorithm parameter defaults to null and the options parameter to [] (empty array).

Developers may change the algorithm used via custom services.yml file loaded via settings.php.

Custom services.yml example

If you have an existing services.yml file in your sites folder (e.g. sites/default/files/services.yml),

you can simply add two new parameters. In most cases you won't need to add password.options as the default options will suffice.

parameters:
  # Can be argon2i, argon2id or 2y
  password.algorithm: argon2id # 👈️ Parameter 1
  # See https://www.php.net/password_hash
  password.options: [] # 👈️ Parameter 2 - optional

If you don't have an existing services.yml file, you can create one and load it by adding this to your settings.php

// Add to your settings.php - use the path of the file you created.
$settings['container_yamls'][] = DRUPAL_ROOT . '/sites/default/services.yml';

Drupal 12

Default password hashing algorithm is argon2id in Drupal 12.

Forwards compatibility layer

Site owners wishing to take advantage of this functionality before Drupal 11.4 is released can install the 3.0.0 series of the PHP Password contributed module. It provides a forward compatibility layer for this functionality.

Impacts: 
Site builders, administrators, editors