(Changed from Improvement to Bug since 3.0 is live now)
Old, insecure password hash types were deprecated in v6.13, and removed in v3 (strangely this happened inside a commit named "Implemented External Storage for User Field Type".
This BC break is intentional and needed - we should not support insecure hashes. But it seems to have caught people by surprise. It will break sites where the insecure hashes are in use.
There should be documentation about the change, and an upgrade script. Unfortunately it is not possible to upgrade the hashes in a script, since we don't know the passwords. Only the users do. This is why, from 6.13 through 2.5 the hashes were automatically upgraded when users logged in. But there will often be users who have not logged in for a long while, and if they come back after a v3 upgrade, their accounts will be blocked. There is a an exception:
HTTP 400 Bad RequestArgument 'hashType' is invalid: Password hash type '2' is not recognized
We should fix this. Serhey Dolgushev suggests that instead of the exception, we should show an info message and redirect to the forgot password feature.
We could also make a script that proactively replaces old hashes with new ones based on randomly created strong passwords, like what you would get with bin2hex(random_bytes(10)) which returns a 20-char long hexadesimal password - and emails it to the users. The emailing could be optional (it's a security risk). Without it, users will have to go through "forgot password" thing, but they avoid the exception.
- Document the change on https://doc.ezplatform.com/en/latest/updating/updating_ez_platform/
- Document the change in the kernel: https://github.com/ezsystems/ezpublish-kernel/tree/1f5a477e243b864f05a705097a0cf688567489c9/doc/bc
- Ensure no exception on invalid hash type. Show info and redirect to forgot password.
- Make a script that warns you during the v3 upgrade if you have old unsupported password hash types in your DB.
- Make a script that upgrades unsupported hashes to valid ones, and optionally emails the passwords to the users.