Password: Remove password_blowfish_cost option, in favor of password_algorithm_options

CHANGELOG.md

@@ -13,6 +13,7 @@
 - Add option to control links handling behavior on html to text conversion (#6485)
 - Disable the default spellchecker option using spell.roundcube.net (#8182)
 - Enigma: Upgrade to OpenPGP.js v5.0
+- Password: Remove password_blowfish_cost option, in favor of password_algorithm_options
 - Password: Remove support for password_algorithms crypt, hash and cram-md5
 - Password: Remove support for %c, %d, %n, %q variables in password_query
 - Password: Add support for passwords based on PHP's password_hash() function (#7724)

plugins/password/config.inc.php.dist

@@ -52,6 +52,7 @@ $config['password_algorithm'] = 'clear';
 
 // Additional options for password hashing function(s).
 // For password_hash()-based passwords see https://www.php.net/manual/en/function.password-hash.php
+// It can be used to set the Blowfish algorithm cost, e.g. ['cost' => 12]
 $config['password_algorithm_options'] = [];
 
 // Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated
@@ -71,11 +72,6 @@ $config['password_dovecotpw_method'] = 'CRAM-MD5';
 // when using password_algorithm=dovecot
 $config['password_dovecotpw_with_method'] = false;
 
-// Iteration count parameter for Blowfish-based hashing algo.
-// It must be between 4 and 31. Default: 12.
-// Be aware, the higher the value, the longer it takes to generate the password hashes.
-$config['password_blowfish_cost'] = 12;
-
 // Number of rounds for the sha256 and sha512 crypt hashing algorithms.
 // Must be at least 1000. If not set, then the number of rounds is left up
 // to the crypt() implementation. On glibc this defaults to 5000.