fix: use password_hash instead of unsalted SHA-256 for password storage

[tranquac]

Summary

Replace weak unsalted SHA-256 password hashing with PHP's password_hash() for secure password storage.

Problem

The installation script stores admin passwords using unsalted SHA-256:

$config['password'] = hash('sha256', $_POST['password']);

SHA-256 without a salt is not suitable for password storage because:

1. No salt: Identical passwords produce identical hashes, enabling rainbow table attacks
2. Fast hashing: SHA-256 can compute billions of hashes/second on GPUs, making brute-force trivial
3. No key stretching: Unlike bcrypt/argon2, SHA-256 doesn't intentionally slow down hashing

Real-world impact

• A leaked password hash e3b0c44... can be cracked in seconds using rainbow tables or hashcat
• GPU-based brute force can try ~10 billion SHA-256 hashes per second

Fix

Replace with PHP's password_hash() which uses bcrypt by default:

$config['password'] = password_hash($_POST['password'], PASSWORD_DEFAULT);

password_hash() provides:

• Automatic salting: Each hash gets a unique random salt
• Key stretching: bcrypt is intentionally slow (~100ms per hash)
• Future-proof: PASSWORD_DEFAULT upgrades algorithm with PHP versions

Note: Password verification should also be updated from hash('sha256', $input) === $stored to password_verify($input, $stored).

Impact

• Type: Weak Password Storage (CWE-916)
• OWASP: A02:2021 — Cryptographic Failures
• Affected file: install/contorl.php
• Risk: Password compromise via rainbow tables or brute force if database is leaked