The password hashing algorithm and options can be changed using kernel parameters. These parameters are passed to password_hash() whenever a password is created or changed. The algorithm parameter defaults to null and the options parameter to [] (empty array).
Developers may change the algorithm used via custom services.yml file loaded via settings.php.
Custom services.yml example
If you have an existing services.yml file in your sites folder (e.g. sites/default/files/services.yml),
you can simply add two new parameters. In most cases you won't need to add password.options as the default options will suffice.
parameters: # Can be argon2i, argon2id or 2y password.algorithm: argon2id # 👈️ Parameter 1 # See https://www.php.net/password_hash password.options: [] # 👈️ Parameter 2 - optional
If you don't have an existing services.yml file, you can create one and load it by adding this to your settings.php
// Add to your settings.php - use the path of the file you created. $settings['container_yamls'][] = DRUPAL_ROOT . '/sites/default/services.yml';
Drupal 12
Default password hashing algorithm is argon2id in Drupal 12.
Forwards compatibility layer
Site owners wishing to take advantage of this functionality before Drupal 11.4 is released can install the 3.0.0 series of the PHP Password contributed module. It provides a forward compatibility layer for this functionality.