Use SHA-512 for user password hashes
function local_user_set_password() from auth.inc,
for now uses password_hash($password, PASSWORD_BCRYPT) function to create user password hash
PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.
Is it possible to use CNSA-compatible hashing for this operation?
Use SHA-384 to protect up to TOP SECRET. ( http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf )
Updated by Viktor Gurov 2 months ago
Updated by Jim Pingle about 1 month ago
- Status changed from Feedback to Resolved
Working as expected.
- New users get SHA-512 password only.
- Existing users get SHA-512 when their password is changed, old formats are removed.
- Users can login OK either way, it uses whichever format is present on the account (SHA-512, bcrypt, etc).