Hashed passwords, faster search and more

Today's update (3648106) brings with it the following changes:

Security issues

Passwords are now hashed with the Bcrypt algorithm. If you need to recover your password this is now done by sending a time-limited password reset link by email.
The forgotten password form is now protected by a honeypot security feature that should stop most spambots. This should reduce the possibility that the form is used in a DDoS amplification attack against a third party.

Search features should now be much faster, as they use trigram database indexes. Searches for containers, objects, courses, institutions, users and mailbox messages should be significantly faster. The user search feature supports substring matching again, making it easier to search for partial user names.

When the sound recorder is used an event is sent to our metrics aggregation service (InfluxDB). This enables us to measure sound recorder usage on different platforms and browsers.
Ownership of any container or object can now be transferred to a predefined user by global administrators. This should make it possible to clean up ownership on all of our existing course content. When an administrator use the feature a status message is sent to them when the job is completed.
Select support staff can now impersonate another user. When this feature is used it is logged in a way that can't be removed by support staff. The feature was added to make it easier for support staff to help end-users without needing to know their password.

Modernized HTTP/CGI request parsing. This moves us one step closer to not being dependent on the FastCGI protocol for communication between our web workers and the reverse proxy. Should have no end-user impact.
Google Chrome Headless is now used instead of unmaintained PhantomJS to perform browser-based testing.

Completely removed PhantomJS support code.
Removed various database columns, indexes and sequences related to local file storage that are no longer in use.