Are we even using this code anymore?

I think we use it at least in manual and cookie login, in password reset request and a couple of other occurrences.

It is only used to validate passwords for user accounts created at ~ 2.5.18 thru 2.5.28 or 3.2.1 thru 3.2.7 which haven't been converted to bcrypt yet.

This is third party code. We shouldn't be touching it.

However, it raises E_DEPRECATED error, and will stop working in PHP 8.
Should we consider to adopt it in case we still need it, or remove it otherwise?

Depending on your operating configuration, Joomla core can emit E_DEPRECATED messages on every PHP release from 5.5 up to and including 7.1. It happens. We have accounted for it in our code to the extent practical, but it's not on us to fork third party code to keep error logs clean.

It is only used to validate passwords for user accounts created at ~ 2.5.18 thru 2.5.28 or 3.2.1 thru 3.2.7 which haven't been converted to bcrypt yet.

That's what I meant by

Are we even using this code anymore?

Yes, we are. If we stopped using it, user accounts on sites migrated from those versions to current Joomla would have to go through the password reset process to get back into their accounts (it's more likely those are active accounts if coming from 2.5 than 3.2). It is not the primary password hash though and will only trigger if a $P$ prefixed hash is given to the validator.

@mbabker if I persuade the author of the library to update it, can we import the new version as is?

Absolutely. However @photodude has tried too and so far, while he's willing to push an update, it's a low priority task for him.

Last update I was told maybe at the end of the month or beginning of next month the update to phpass will happen.

@demis-palma by the way, this is technically correct but functionally the wrong way to fix this as your change would break backward compatibility. Please look at my PR #13813 (closed as the original developer is going to push an update with additional changes) in that you can see the correct way to address both old constructors for B/C and fix the deprecation notice.

Read http://cweiske.de/tagebuch/php4-constructors-php7.htm for an explanation on this B/C fix.

You can also look at my fork of the project that's available until PHPASS has an official update. https://github.com/photodude/phpass (NOTE: there are additional untested changes in this fork, it is only intended as a code example for recommended changes to facilitate an update from the original developer)

Ok so we can close here and move this to an issue until the original author updated the lib?

here is the PR with the new version
#15704