Contributed by Zan Baldwin in #21604

Symfony recommends to use the Bcrypt password hasher to hash the passwords of your applications. Bcrypt was specifically designed for long-term password storage and it's natively supported by PHP.

However, security is a fast-moving field where new best practices and recommendations emerge continuously. In recent months, Argon2 hashing algorithm popularity has exploded, especially since winning the 2015 Password Hashing competition. In fact, PHP 7.2 (to be released at the end of 2017) includes built-in support for Argon2.

That's why we decided to include an Argon2i password hasher in Symfony 3.4. First, if you don't use PHP 7.2, add support for Argon2 installing the Libsodium PHP extension in your server or adding the libsodium-php library to your project. Then, use argon2i as the algorithm of the password hasher:

        1
2
3
4
5
6
7
        # app/config/security.yml
security:
    # ...

    encoders:
        Symfony\Component\Security\Core\User\User:
            algorithm: 'argon2i'
    

In existing applications using Bcrypt with a reasonably high hashing cost, there's no immediate need to rehash all the passwords using Argon2i. However, if you are creating a new project, you could consider using this new password hashing algorithm.

Published in #Living on the edge

Clement said on Oct 2, 2017 at 14:26

Thanks, Is there stats (speed, security lvl etc?)

ahmedsfny said on Oct 2, 2017 at 18:00

Thanks ,

Ivan Kurnosov said on Oct 3, 2017 at 01:28

@Clement Roupioz,

https://github.com/p-h-c/phc-winner-argon2

Ulf Reimers said on Oct 4, 2017 at 09:09

Are the links to the Libsodium PHP extension and the libsodium-php library mixed up? Because "Libsodium PHP extension" links to "Sodium Compat" which is a php polyfill library that cannot be installed in a server while the "libsodium-php library" is an actual PHP extension that needs to be installed in a server and cannot be simply added to a project.

Javier Eguiluz Certified said on Oct 4, 2017 at 09:54

@Ulf thanks for reporting this issue. I've just fixed it.

Lýdia Hiľovská said on Oct 26, 2017 at 07:47

Hi, When using Bcrypt, it is recommended to use PHP generated salt. Is it same with Argon2i? Thanks

Javier Eguiluz Certified said on Oct 26, 2017 at 12:56

@Lýdia that's correct! We even created a new interface called SelfSaltingEncoderInterface for those encoder/hasher which don't need a user provider salt. Both Bcrypt and Argon2i encoders/hashers implement that interface.

See https://github.com/symfony/security-core/blob/master/Encoder/SelfSaltingEncoderInterface.php

New in Symfony 3.4: Argon2i password hasher

Comments

Become a Symfony contributor