After upgrade from phpBB 2.0.x/3.0.x, phpBB performs password hashes conversion to newer format (usually to some of Argons). This also happens if a user logs in phpBB account having password hash convert flag set.

In case password driver's hash() method doesn't return valid hash due to error (f.e. memory allocation error etc), password hash gets updating to an empty string.

Neither "update_hashes cron" nor "db" auth provider performs the check for the new hash emptiness.

Additionally, since PHP 8.0.0 no longer returns false on failure, instead a ValueError will be thrown if the password hashing algorithm is not valid, or an Error if the password hashing failed for an unknown error. This is also changed since PHP 8.3.0 (see https://www.php.net/manual/en/function.password-hash.php).