Password handling

CE Phoenix Cart uses PHP's native password_hash and password_verify functions. If you want to override the defaults, you can do so by adding to the configure.php files (both in catalog and admin) as so

const PHOENIX_ENCRYPTION =  PASSWORD_DEFAULT;
const PHOENIX_PASSWORD_OPTIONS = [
  'cost' => 10,
];

Note that these would match PHP's current defaults. Change to whatever values needed (e.g. ARGON2_ID with appropriate cost options). These will be passed as password_hash($password, PHOENIX_ENCRYPTION, PHOENIX_PASSWORD_OPTIONS) without any changes. So you can pass any value supported in your version of PHP.

If you change these options, it will update the password to the current encryption at next login. It will also do so if your database contains older encryptions, like PHPASS or salted MD5.

CE Phoenix Cart can also interact with Apache's htpasswd. Again, if you want to override the defaults, you can add to the configure.php file in admin (catalog does not interact with htpasswd).

const APACHE_ENCRYPTION = 'APR-MD5';

or

const APACHE_ENCRYPTION = PASSWORD_BCRYPT;
const APACHE_PASSWORD_OPTIONS = [
  'cost' => 10,
];

If it cannot detect that Apache supports bcrypt, it will fall back to APR-MD5 which ignores the APACHE_PASSWORD_OPTIONS. The encryption can take the special value of the string APR-MD5 (in case the bcrypt detection gives a false positive) or any of the encryption methods supported by PHP's password_hash. Note that Apache may only support APR-MD5 and bcrypt, so you probably want to specify one of those or just leave it to the defaults. Also note that bcrypt is preferred to APR-MD5 for security reasons. Argon 2 may be preferable to either of those, but I don't believe that Apache supports it.