gnu-social/modules/AuthCrypt/README.md

AuthCrypt allows for GNU social to use password_hash() hashing to store password credentials.

Settings
========
You can change these settings in `config.php` with `$config['AuthCryptModule'][{setting name}] = {new setting value};`.

Default values in parenthesis.

authoritative (false): Set this to true when _all_ passwords are hashed with password_hash()
    (warning: this may disable all other password verification, also when changing passwords!)
algorithm (PASSWORD_DEFAULT): A hashing algorithm to use, the default value is defined by PHP. See all supported strings at https://php.net/password-hash
algorithm_options (['cost' => 12] if "algorithm" is bcrypt): Hashing algorithm options. See all supported values at https://php.net/password-hash
statusnet (true): Do we check the password against legacy StatusNet md5 hash?
    (notice: will check password login against old-style hash and if 'overwrite' is enabled update using crypt())
overwrite (true): Do we overwrite password hashes on login if they used a different algorithm
    (notice: to make use of stronger security or migrate obsolete hashes, this must be true)
password_changeable (true): Enables or disables password changing.
    (notice: if combined with authoritative, it disables changing passwords and removes option from menu.)
autoregistration: This setting is ignored. Password can never be valid without existing User.
provider_name: This setting defaults to 'crypt' but is never stored anywhere.

Technical note: Many settings are inherited from the AuthenticationModule class.
[AuthCrypt] Update README and fix formatting 2020-07-25 17:42:46 +01:00			`AuthCrypt allows for GNU social to use password_hash() hashing to store password credentials.`

			`Settings`
			`========`
			You can change these settings in `config.php` with `$config['AuthCryptModule'][{setting name}] = {new setting value};`.

			`Default values in parenthesis.`

[AuthCrypt] Password storage and comparison improvements Password hashes are now stored in a TEXT attribute, not limited to 199 symbols. That limitation makes no sense as password hashes are not the kind of information to be indexed. Actually replace crypt() with password_verify() for password checking, current code left password_verify() unused. Only update passwords when they use a different algorithm from the current default. Previously "overwrite" meant rehashing every login. Replace the "argon" boolean option with "algorithm" and "algorithm_options" for better configurability. The default remains whichever is default for PHP's password_hash. 2020-07-25 18:16:21 +01:00			`authoritative (false): Set this to true when _all_ passwords are hashed with password_hash()`
[AuthCrypt] Update README and fix formatting 2020-07-25 17:42:46 +01:00			`(warning: this may disable all other password verification, also when changing passwords!)`
[AuthCrypt] Password storage and comparison improvements Password hashes are now stored in a TEXT attribute, not limited to 199 symbols. That limitation makes no sense as password hashes are not the kind of information to be indexed. Actually replace crypt() with password_verify() for password checking, current code left password_verify() unused. Only update passwords when they use a different algorithm from the current default. Previously "overwrite" meant rehashing every login. Replace the "argon" boolean option with "algorithm" and "algorithm_options" for better configurability. The default remains whichever is default for PHP's password_hash. 2020-07-25 18:16:21 +01:00			`algorithm (PASSWORD_DEFAULT): A hashing algorithm to use, the default value is defined by PHP. See all supported strings at https://php.net/password-hash`
			`algorithm_options (['cost' => 12] if "algorithm" is bcrypt): Hashing algorithm options. See all supported values at https://php.net/password-hash`
[AuthCrypt] Update README and fix formatting 2020-07-25 17:42:46 +01:00			`statusnet (true): Do we check the password against legacy StatusNet md5 hash?`
			`(notice: will check password login against old-style hash and if 'overwrite' is enabled update using crypt())`
[AuthCrypt] Password storage and comparison improvements Password hashes are now stored in a TEXT attribute, not limited to 199 symbols. That limitation makes no sense as password hashes are not the kind of information to be indexed. Actually replace crypt() with password_verify() for password checking, current code left password_verify() unused. Only update passwords when they use a different algorithm from the current default. Previously "overwrite" meant rehashing every login. Replace the "argon" boolean option with "algorithm" and "algorithm_options" for better configurability. The default remains whichever is default for PHP's password_hash. 2020-07-25 18:16:21 +01:00			`overwrite (true): Do we overwrite password hashes on login if they used a different algorithm`
			`(notice: to make use of stronger security or migrate obsolete hashes, this must be true)`
[AuthCrypt] Update README and fix formatting 2020-07-25 17:42:46 +01:00			`password_changeable (true): Enables or disables password changing.`
			`(notice: if combined with authoritative, it disables changing passwords and removes option from menu.)`
			`autoregistration: This setting is ignored. Password can never be valid without existing User.`
			`provider_name: This setting defaults to 'crypt' but is never stored anywhere.`

			`Technical note: Many settings are inherited from the AuthenticationModule class.`