commit 9ab05f86ceeabeb6747f05262cf7955cb15a2810
Author: Peter Burnett <peterburnett@catalyst-au.net>
Date:   Fri Jan 10 14:07:55 2020 +1000

    Updated new password hashing to SHA-512

-
diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index aa6867a2f00..7abe18a5951 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -4625,10 +4625,30 @@ function validate_internal_user_password($user, $password) {
 function hash_internal_user_password($password, $fasthash = false) {
     global $CFG;
 
-    // Set the cost factor to 4 for fast hashing, otherwise use default cost.
-    $options = ($fasthash) ? array('cost' => 4) : array();
+    if (property_exists($CFG, 'hashalgorithm') && !empty($CFG->hashalgorithm)) {
+        $algo = $CFG->hashalgorithm;
+    } else {
+        $algo = null;
+    }
+
+    switch ($algo) {
+        case 'sha256':
+            $rounds = $fasthash ? 1000 : 5000;
+            $pwstring = '$5$rounds='.$rounds.'$'.random_string(CRYPT_SALT_LENGTH).'$';
+            $generatedhash = crypt($password, $pwstring);
+            break;
+
+        case 'sha512':
+            $rounds = $fasthash ? 1000 : 5000;
+            $pwstring = '$6$rounds='.$rounds.'$'.random_string(CRYPT_SALT_LENGTH).'$';
+            $generatedhash = crypt($password, $pwstring);
+            break;
 
-    $generatedhash = password_hash($password, PASSWORD_DEFAULT, $options);
+        default:
+            $options = $fasthash ? array('cost' => 4) : array();
+            $generatedhash = password_hash($password, PASSWORD_DEFAULT, $options);
+            break;
+    }
 
     if ($generatedhash === false || $generatedhash === null) {
         throw new moodle_exception('Failed to generate password hash.');
@@ -4683,7 +4703,10 @@ function update_internal_user_password($user, $password, $fasthash = false) {
     } else if (isset($user->password)) {
         // If verification fails then it means the password has changed.
         $passwordchanged = !password_verify($password, $user->password);
-        $algorithmchanged = password_needs_rehash($user->password, PASSWORD_DEFAULT);
+        $algorithmchanged = property_exists($CFG, 'hashalgorithm')
+        ? $hashedpassword !== $user->password
+        : password_needs_rehash($user->password, PASSWORD_DEFAULT);
+
     } else {
         // While creating new user, password in unset in $user object, to avoid
         // saving it with user_create()