Last year I released some WordPress plugins for Better Security, including Better Passwords. This is a WordPress plugin that stops the use of a bad passwords, including those in the Have I Been Pwned? breached password database.
Whilst the main reason for creating the plugin was to stop a breached password from being re-used, it also allows you to set a minimum password length which is one of the best ways to ensure a stronger password without setting arbitrary complexity rules, and allows you to change the algorithm that WordPress uses to hash the password before storing it in your database.
This last part is useful if your database (or a backup of it) was compromised and fell into the wrong hands. The plugin allows the use of the Bcrypt or Argon2 algorithms, if your version and installation of PHP supports these algorithms.
Unfortunately there was a breaking change in PHP 7.4 which meant that the check was failing, making the two Argon2 algorithms unavailable. This was kindly reported to me by Ray Bernard via the plugin support forum, but the notification emails for this appear to be falling into a black hole (which I need to investigate and resolve!). Luckily he followed up directly with an email, not only with the problem but also the solution – thank you!
This has now been resolved in the latest version, released yesterday.
It’s also worth noting that the Argon2i and Argon2id algorithms need be added to your PHP installation as well, as they are optional modules that may not be included by your host. You can usually do this in your cpanel, but if not then you may need to contact your host to get them added.