We are using Moodle 3.9+ with Classic theme and this week we are facing with an issue during the users’ login.
In particular, some users are not anymore able to login even if the credentials (username and password) are valid.
We are analyzing the problem and it seems that the problem is due to the hash algorithm used for storing the passwords.
Following the use cases:
Users imported in CLI with autoupload function which sets fasthash (iterations=04)
- The majority of users had already changed the password as it is set to force-change at the first login, but since March 25th the users cannot login anymore and they have to require Forgot password. Then the new password will have 10 iterations and authentication works.
- Many users appear to have already the hash algorithm for the stored password $2y$10, and they correctly log in. We don't know if by means of Forgot password but until now we've never had alerts from users having this issue.
- New users tested now appear to have the 10 iterations hash after forced-password change and they are able to correctly log in.
Users created manually have always had 10 iterations hashed passwords.
We did not change anything in the system, no upgrade of Moodle or PHP, no config.php modified.
We see that PHP uses PASSWORD_DEFAULT parameter and sometimes with an option of iterations, like in autoupload bulk routine.
We were wondering what could be the change related to the authentication that had caused the 04 authentication to stop working.
How can we solve this problem without asking all users to require Forgot password?
Thank you for your help!