Drupal 12 Adopts Argon2id for Default Password Hashing

Drupal 12 will use Argon2id as its default password hashing algorithm, replacing bcrypt and aligning the platform with current security recommendations from OWASP and NIST. The update, detailed by Drupal founder Dries Buytaert, strengthens protection against modern password cracking techniques while maintaining compatibility across hosting environments.

The change reflects Drupal’s continued focus on security for large-scale and sensitive deployments. Password hashing has evolved across major Drupal versions in response to advances in attack capabilities. Early versions relied on MD5 hashing, which is now considered insecure. Drupal 7 introduced a salted and iterated SHA-512 approach via the phpass library, while Drupal 10 adopted bcrypt as the default. The move to Argon2id continues this progression.

Argon2id introduces a key technical advantage over bcrypt through its “memory-hard” design. Each hash computation requires a configurable amount of memory, limiting the ability of attackers to run large numbers of parallel guesses using modern GPUs. While GPUs can efficiently execute many bcrypt operations simultaneously due to low memory requirements, Argon2id constrains parallelism by increasing per-operation memory usage, making large-scale attacks more expensive and less efficient.

The implementation is designed to be transparent for site owners and users. Existing passwords will be automatically rehashed using Argon2id the next time a user successfully logs in, eliminating the need for forced password resets or manual migration. If Argon2id support is unavailable in a given PHP environment, Drupal will fall back to bcrypt to ensure compatibility.

The update also reinforces Drupal’s “secure by default” approach. Many site administrators rely on default configurations for security-sensitive settings such as password storage. By adopting Argon2id, Drupal ensures stronger protection without requiring additional configuration or awareness from site owners.

Further technical details and context are available in Dries Buytaert’s original post: https://dri.es/drupal-12-switches-to-argon2id.