Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


(warning) This plugin is considered Experimental.



  1. This is a non-core plugin, see Installing and Enabling Registry Plugins for more information.
  2. This plugin requires PHP 7 or later (for random_bytes).

Password Policies

Much angst has been generated over the years as security experts try to decide what the appropriate password policies should be. How long should a password be? How many character classes should be required? How often should the password be changed? What types of questions are good for resetting the password?


Checking against commonly used or compromised passwords (CO-1501) and password strength meters (CO-1502) are not currently supported.

Password Hashing Formats

Currently the only supported hash format is crypt (PASSWORD_DEFAULT) as implemented by the PHP password_hash function. The following hashing formats are currently supported:

  1. Crypt, as implemented by the PHP password_hash function using PASSWORD_DEFAULT. This is the strongest hashing option, but is only suitable for use in PHP based applications that implement password_verify. This format is enabled by default and cannot be disabled since it is used internally by the plugin.
  2. SSHA, or Salted SHA-1. This option is suitable for writing to LDAP servers. Available as of Registry v3.2.0.
  3. Plaintext, or unhashed. This option is normally not recommended, but may be suitable for select scenarios where a password must be provisioned in plaintext to a legacy downstream system.

Additional formats are likely to be supported in future releases.

Multiple hashing formats may be enabled concurrently. When a Password is set or changed, the password will be hashed in each enabled format.

Supported Provisioners

The LDAP Provisioning Plugin supports writing the hashed password to the userPassword attribute. As of Registry v3.2.0, the plugin will only write SSHA hashed values to the LDAP record.