Use phpass as our hashing mechanism, and check for it first (instead

of checking G1/G2 techniquew first).

modules/user/helpers/user.php

@@ -214,14 +214,21 @@ class user_Core {
   static function is_correct_password($user, $password) {
     $valid = $user->password;
 
+    // Try phpass first, since that's what we generate.
+    if (strlen($valid) == 34) {
+      require_once(MODPATH . "user/lib/PasswordHash.php");
+      $hashGenerator = new PasswordHash(10, true);
+      return $hashGenerator->CheckPassword($password, $valid);
+    }
+
     $salt = substr($valid, 0, 4);
-    /* Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes: */
+    // Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes:
     $guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password));
     if (!strcmp($guess, $valid)) {
       return true;
     }
 
-    /* Passwords with <&"> created by G2 prior to 2.1 were hashed with entities */
+    // Passwords with <&"> created by G2 prior to 2.1 were hashed with entities
     $sanitizedPassword = html::specialchars($password, false);
     $guess = (strlen($valid) == 32) ? md5($sanitizedPassword)
           : ($salt . md5($salt . $sanitizedPassword));
@@ -229,13 +236,6 @@ class user_Core {
       return true;
     }
 
-    /* Also support hashes generated by phpass for interoperability with other applications */
-    if (strlen($valid) == 34) {
-      require_once(MODPATH . "user/lib/PasswordHash.php");
-      $hashGenerator = new PasswordHash(10, true);
-      return $hashGenerator->CheckPassword($password, $valid);
-    }
-
     return false;
   }
 
@@ -245,7 +245,9 @@ class user_Core {
    * @return string hashed password
    */
   static function hash_password($password) {
-    return user::_md5Salt($password);
+    require_once(MODPATH . "user/lib/PasswordHash.php");
+    $hashGenerator = new PasswordHash(10, true);
+    return $hashGenerator->HashPassword($password);
   }
 
   /**