• Dries's avatar
    - Patch #29706 by pwolanin, solardiz, et al: more secure password hashing. · ed59911f
    Dries authored
      This is a big and important patch for Drupal's security.  We are switching
      to much stronger password hashes that are also compatible with the Portable
      PHP password hashing framework.
      The new password hashes defeat a number of attacks, including:
      - The ability to try candidate passwords against multiple hashes at once.
      - The ability to use pre-hashed lists of candidate passwords.
      - The ability to determine whether two users have the same (or different)
        password without actually having to guess one of the passwords.
      Also implemented a pluggable password hashing API (similar to how an alternate
      cache mechanism can be used) to allow developers to readily substitute an
      alternative hashing and authentication scheme.
      Thanks all!
To find the state of this project's repository at the time of any of these versions, check out the tags..