Missing mention of breaking changes in 2.3 upgrade notes

[jaakristioja]

Is your feature request related to a problem? Please describe.

The Upgrade notes for SimpleSAMLphp 2.3 fail to mention a breaking change:

• The auth.adminpassword configuration value no longer allows raw passwords (see FAQ).

This caused admins being locked out after upgrade. I don't remember having seen any prior warning about this.

Describe the solution you'd like
Describe this breaking change in the Upgrade notes.

Describe alternatives you've considered
Allow raw passwords again, but as a deprecated feature. And warn users/admins if raw passwords are used.

Additional context
Screenshot of surprise waiting admins who wish to login after upgrade:

[jaakristioja]

The documentation is also incorrect about auth.adminpassword:

simplesamlphp/docs/simplesamlphp-install.md

Lines 223 to 231 in 74c4130

	* Set an administrator password. This is needed to access some of the pages in your SimpleSAMLphp installation web
	interface.
	Hashed passwords can also be used here. See the [`authcrypt`](./authcrypt:authcrypt) documentation
	for more information.
	```php
	'auth.adminpassword' => 'setnewpasswordhere',
	```

[tvdijen]

@monkeyiq I see I approved it, but this shouldn't have ended up in a minor release

[tvdijen]

99c5458 should cover your remarks. @thijskh do you see any added value in the reference to authcrypt, or the authcrypt module in general?

[monkeyiq]

I think this may have been brought in with this https://github.com/simplesamlphp/simplesamlphp/pull/2090/files#diff-983627d00a9d80f81d88c69bcbb98b31314b065343b99f882885f3936ec296cb

The old pwValid method would fall through to a === check on the hash and password to see if it matches...

simplesamlphp/src/SimpleSAML/Utils/Crypto.php

Line 371 in 5857027

public function pwValid(string $hash, string $password): bool

I approved PR 2090 without noticing the fallback of hash===pasword.

I then proposed to add a special case back to avoid changing how things function #2110

This lead to keeping the hash only and making note of it #2113

Perhaps I should have pushed harder for PR 2110 as it was only restoring functionality to where it was.