Backdrop 1.27.2 now includes an account's email address as part of the hashed key used in password reset emails. This makes it so that changing the email address of an account will invalidate existing password reset links.

For site-owners, the only change to be aware of is that upgrading from earlier versions of Backdrop will cause existing password reset links to become invalidated. Users can request a new reset link that will use the updated hash key.

For module developers, if you use the user_pass_rehash() function, pass in the new last $mail parameter.


$hash = user_pass_rehash($password, $timestamp, $user->login, $user->uid);


$hash = user_pass_rehash($password, $timestamp, $user->login, $user->uid, $user->mail);
Introduced in branch: 
Introduced in version: 
Module developers