The laddr-import script writes legacy password hashes verbatim into LegacyPasswordCredential records, and the eventual account-claim endpoint will verify against them with whatever algorithm those hashes use.
Synthetic fixture data uses bcrypt (`$2y$10$...`) per common Emergence-PHP conventions, but we haven't inspected real production hashes yet. Before staging cutover:
- Pull the first ~20 `Password` values from a fresh production dump
- Confirm they all share a single algorithm prefix (`$2y$`, `$2a$`, `$6$`, etc.)
- If anything other than bcrypt appears, add a verifier in the account-claim plan and surface a warning in the import-laddr report
Filed as Follow-up from PR #24 (laddr-import).
The laddr-import script writes legacy password hashes verbatim into
LegacyPasswordCredentialrecords, and the eventual account-claim endpoint will verify against them with whatever algorithm those hashes use.Synthetic fixture data uses bcrypt (`$2y$10$...`) per common Emergence-PHP conventions, but we haven't inspected real production hashes yet. Before staging cutover:
Filed as Follow-up from PR #24 (laddr-import).