Hi everybody! After upgrading Kirby from 2.x to 3.2.5, and moving all user accounts to the new installation, we face a strange situation: Users that existed before the upgrade can still log in. But newly created users - or users who now change their passwords - cannot. Checking their .htpasswd file shows the (probable) reason: The new passwords are not encrypted, whereas passwords of the older users are hashed. And if a user with formerly hashed password changes his password, Kirby now stores it as clear text. My question is: Why? How can I make .htpasswd files hashed again?
You are using an outdated Kirby version, probably in conjunction with PHP 7.4. Please update to 3.3.6.
@romano:
Did you follow the whole Kirby-Docs: How to migrate users with PHP version 7.2 or 7.3?
@anon77445132: Thanks for the hint. Yes, we followed the docs. And its not a problem with the migrated users. The problem is that the new installation does not encrypt password files of new users, but stores them as plain text in .htpasswd!
As I already wrote above, if you are on PHP 7.4, you have to update (which you should do anyway). This is then an issue with versions before 3.3.2 not being compatible with PHP 7.4 resulting in plain text passwords being stored.
2 Likes
@pixelijn: Thanks very much for the explanation, this sounds plausible… Too bad that we can’t fix this without updating Kirby again! 
Is there maybe a shortcut from 3.2.5 to 3.3.6?
For security reasons you should always keep your Kirby version up to date.
Why don’t you want to update?
What do you mean with a shortcut?
A short way… but ok, it’s fine, I’ll update.
Look at https://getkirby.com/docs/guide/quickstart#updates for details. But don’t update a live system without testing on your development system in front!
Thanks again! That helps! Just replacing the Kirby folder seems manageable! 
There were only very few breaking changes between 3.2 and 3.3 and they shouldn’t affect you, see https://github.com/getkirby/kirby/releases/tag/3.3.0.
You might want to update deprecated methods though, to be prepared for the future…
@pixelijn: Great, thanks for your help!