This PR backports the password security fix from 3.2.1 to 2.5.x.

What we need now is LOTS of testing. If you are able to run multiple PHP environments, please test in all of them available.

In order to test, create a fresh Joomla installation. Then, apply this patch and log out. Once your logged out, check your database #__users table, you should see your password in there with a : somewhere near the middle. Now, log back into the site (you should have no issues logging in, if you do, the test failed, and leave a -1 with details about your PHP environment). The entry in the database table should be changed, and it will now be prefixed with $P$ which indicates that you password is now hashed using phpass. If you got this far, and don't have access to any other PHP environments to do extended testing in, I want to personally say thanks for taking the time, it is appreciated. Please leave a comment with a +1 that contains the PHP version you tested.

If you do have other environments available, can you do some extended testing? Awesome. The extended testing would consist of moving your Joomla installation to a new PHP environment, and making sure you are able to log in there as well without issue.

One other item to test is a fresh installation with the patch already applied. You can download a complete installation with the patch applied from here: https://github.com/dongilbert/joomla-cms/archive/25PasswordSecurity.zip Use it to do a fresh installation, and just check to make sure that the password for the user you created is prefixed with $P$ in the database, and that you can log in just fine. If you can, leave a +1 on a successful test! Thanks!

If you do run into any issues while testing, including not being able to log in, or your password not being re-hashed to be prefixed with $P$, please leave a comment below with a -1, and detail the environment you were in that failed.