Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By znerol on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.x
Issue links:
Description:
In Drupal 7 a pluggable password hashing method was introduced. The default implementation is based on the Portable PHP Password Hashing Framework (phpass). In order to allow for site specific password hashing implementation, it was possible to specify the path to a file containing customized versions of the functions implemented in include/password.inc using the password_inc variable. Also when using the default implementation it was possible to modify the standard log2 number of iterations for password stretching using the password_count_log2 variable. The default for password_count_log2 has been set to 15 via the constant DRUPAL_HASH_COUNT. That means that in Drupal 7 a plain text password is stretched by applying the hashing-function 2^15 = 32768 times.
In Drupal 8 the contents of the default implementation in include/password.inc have been refactored into the class Drupal\Core\PhpassHashedPassword implementing the interface Drupal\Core\PasswordInterface. Additionally the password hashing implementation is now registered as a service in the dependency injection container. In order to supply a customized password hashing implementation, the default class must be substituted by a custom class implementing Drupal\Core\PasswordInterface via the DIC. Also the default log2 iteration count was incremented by one, i.e. in Drupal 8 a plain text password is stretched by applying the hashing-function 2^16 = 65536
Substitute default password hashing implementation
Drupal 7
Supply custom password_inc in sites settings.php:
$conf['password_inc'] = 'sites/all/modules/mypasswordhasher/mypasswordhasher.inc';
Drupal 8
In custom module mymodule directory, add file mymodule.sevices.yml containing:
services:
password:
class: Drupal\mymodule\MyPassword\MyPasswordHasher
arguments: [16]
Contents of Drupal\mymodule\MyPassword\MyPasswordHasher.php should implement PasswordInterface, like this:
/**
* @file
* Definition of Drupal\mymodule\MyPassword\MyPasswordHasher
*/
namespace Drupal\mymodule;
use Drupal\Core\Password;
/**
* My custom secure password hashing functions.
*/
class MyPasswordHasher implements PasswordInterface {
// Custom code for hashing.
}
This will override default password hashing implementation.
Change log2 iteration count for default password hashing implementation
Drupal 7
Via settings.php:
$conf['password_count_log2'] = 16;
Drupal 8
Via settings.php and custom site services YAML file:
$conf['container_yamls'][] = 'sites/all/mysite.services.yml';
Contents of sites/all/mysite.services.yml:
services:
password:
class: Drupal\Core\Password\PhpassHashedPassword
arguments: [19]
Impacts:
Site builders, administrators, editors
