CWP 1: Use SHA-512 rather than blowfish for password hashing (NZISM compliance)

[brynwhyman]

Copying from the issue to implement this in CWP 2:

Blowfish is the default hashing algo for SilverStripe. It is still considered a safe hashing algo (https://en.wikipedia.org/wiki/Blowfish_(cipher)), but is not on the list of approved cryptographic algorithms in the NZISM: https://www.nzism.gcsb.govt.nz/ism-document/#2106. We should set SHA-512 as a new default. Since the system tracks the algo per user, I believe we can do this without password resets. It kicks in either when an existing user changes their password, or when new users create a password. It should retain the cost parameter used in the blowfish logic.

Note that blowfish is a crypto algo which can be used for encryption, but can also form the basis for the bcrypt hashing algorithm - which is how we're using it. Meaning we're hashing passwords, not encrypting them - even though the APIs in SilverStripe are named misleadingly (Security::encrypt_password()).

To be clear, this is not a security vulnerability, but rather a compliance issue.

[robbieaverill]

You want https://github.com/silverstripe/cwp-core/pull/69 backported to CWP 1.10?

[robbieaverill]

Done in 3ed15e9