I have stumbled over a design flaw of the internal encrypted password store. When I changed the way to build php - in particular I added "-fstack-protector" to the compiler options - my passwords did no more match and I could no more log into any of my SilverStripe projects. I tracked down the issue to sapphire/security/Security.php line 794:
$password = substr(base_convert($password, 16, 36), 0, 64);
The php-manual says: "base_convert() may lose precision on large numbers due to properties related to the internal "double" or "float" type used." So only around 10 characters of that 64 character string really are computed from the hash! The rest is some random data from the stack. Therefore the new compiler option crashed the password database. How can I fix this?