- Patch #29706 by pwolanin, solardiz, et al: more secure password hashing.

  This is a big and important patch for Drupal's security.  We are switching
  to much stronger password hashes that are also compatible with the Portable
  PHP password hashing framework.

  The new password hashes defeat a number of attacks, including:

  - The ability to try candidate passwords against multiple hashes at once.
  - The ability to use pre-hashed lists of candidate passwords.
  - The ability to determine whether two users have the same (or different)
    password without actually having to guess one of the passwords.

  Also implemented a pluggable password hashing API (similar to how an alternate
  cache mechanism can be used) to allow developers to readily substitute an
  alternative hashing and authentication scheme.

  Thanks all!

1 files changed, 5 insertions, 0 deletions

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 102892f41..194c08682 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -4,6 +4,11 @@ Drupal 7.0, xxxx-xx-xx (development version)
 ----------------------
 - Security:
     * Protected cron.php -- cron will only run if the proper key is provided.
+    * Changed to much stronger password hashes that are also compatible with the
+      Portable PHP password hashing framework.
+    * Implemented a pluggable password hashing API (similar to how an alternate
+      cache mechanism can be used) to allow developers to readily substitute
+      an alternative hashing and authentication scheme.
 - Usability:
     * Implemented drag-and-drop positioning for input format listings.
     * Provide descriptions for permissions on the administration page.