New in Symfony 3.4: Argon2i password hasher
October 2, 2017 • Published by Javier Eguiluz
Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.
Contributed by
Zan Baldwin
in #21604.
Symfony recommends to use the Bcrypt password hasher to hash the passwords of your applications. Bcrypt was specifically designed for long-term password storage and it's natively supported by PHP.
However, security is a fast-moving field where new best practices and recommendations emerge continuously. In recent months, Argon2 hashing algorithm popularity has exploded, especially since winning the 2015 Password Hashing competition. In fact, PHP 7.2 (to be released at the end of 2017) includes built-in support for Argon2.
That's why we decided to include an Argon2i password hasher in Symfony 3.4.
First, if you don't use PHP 7.2, add support for Argon2 installing the
Libsodium PHP extension in your server or adding the libsodium-php library
to your project. Then, use argon2i
as the algorithm of the password hasher:
1 2 3 4 5 6 7
# app/config/security.yml
security:
# ...
encoders:
Symfony\Component\Security\Core\User\User:
algorithm: 'argon2i'
In existing applications using Bcrypt with a reasonably high hashing cost, there's no immediate need to rehash all the passwords using Argon2i. However, if you are creating a new project, you could consider using this new password hashing algorithm.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.
Is there stats (speed, security lvl etc?)
https://github.com/p-h-c/phc-winner-argon2
When using Bcrypt, it is recommended to use PHP generated salt. Is it same with Argon2i?
Thanks
See https://github.com/symfony/security-core/blob/master/Encoder/SelfSaltingEncoderInterface.php