[9.x] Improve password checks

[korkoshko]

It also fixes a possible collision when credentials contains only "password" values.

$provider->retrieveByCredentials(['password' => 'dayle', 'password2' => 'night']);

As a result of the code above, the first record will be retrieved from the table in the database.

[driesvints]

This a major breaking change and security risk. You're trying to retrieve users by their unhashed passwords, something that should be avoided at all costs. Please hash your passwords.

[korkoshko]

@driesvints Sorry, maybe I didn't express myself very well. After my changes to the retrieveByCredentials method all password values are excluded from credentials array. This method calling by method "attempt" in SessionGuard, which is used in the Auth facade.

[korkoshko]

@driesvints Now there is a bug when only two or more keys with the substring "password" can be passed to the "attempt" method as input:

Auth::attempt(['password' => 'dayle', 'password2' => 'night']);

As a result of this "bug", the first record (without filters) will be retrieved from the table, and this is not good : )

[korkoshko]

@driesvints just look L108 and then L120 to understand the bug above.

[driesvints]

@korkoshko I finally see what you meant now. Sorry, misjudged this. Thanks for your PR 👍