It would be nice to kill off $wgPasswordSalt if we could (the ability to
set it to false that is).
This setting controls whether we use a salted password algorithm or an
unsalted one. Basically making something somewhat secure almost completely
insecure.
This setting appears to exist to make it possible for auth plugins on
other pieces of 3rd party software to login using MediaWiki accounts by
directly accessing MediaWiki's database but not bothering to understand
any of MediaWiki's password algorithms.
A fairly dubious rationale to exist IMHO.
The current documentation on the setting is also complete and totally
false. It says "For compatibility with old installations set to false.",
but at this point this has absolutely nothing to do with compatibility.
Frankly even if we do have any sort of remaining incompatibility I'd bet
it would be fairly trivial to actually solve (eg: For ancient password
hashes just try both ancient algorithms instead of just one).
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]