New in Symfony 4.1: Argon2i configuration

Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.
Contributed by
Dominik Müller
in #26175.
In Symfony 3.4 we introduced the Argon2i password hasher as an alternative to
the popular Bcrypt hasher. In the case of Bcrypt you can configure it with
the cost
parameter, which defines the amount of CPU power needed to hash a
password.
The Argon2i algorithm is more configurable than Bcrypt and that's why in Symfony 4.1 we've introduced several configuration options for the Argon2i hasher:
1 2 3 4 5 6 7 8 9 10
# config/packages/security.yaml
security:
# ...
encoders:
App\Entity\User:
algorithm: 'argon2i'
# maximum memory (in KiB) that may be used to compute the Argon2 hash
memory_cost: 1024
# number of times the Argon2 hash algorithm will be run
time_cost: 3
Password hashing is a fast moving field that requires continuous updates. In fact, there's an official RFC to replace the current Argon2i algorithm in the next stable PHP version by the newer Argon2id variant. Thanks to Symfony you can skip all these debates and be sure that your applications will always be safe and use the latest security best practices.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.
Or add to it to the documentation
It's simple and well explained.
if (password_needs_rehash($password, PASSWORD_ARGON2I, ['cost' => 11])) {
$password = password_hash($password, PASSWORD_ARGON2I, ['cost' => 11]);
}
The password_needs_rehash() function can determine if the encrypted password was encrypted with the algorithm specified. So:
User authenticates->If successful, while you still have the plain password they just submitted to login, check the stored password in the database. If it needs to be updated, rehash the plain password with the new algorithm and store the new hash
Obviously that's overly simplified, but allows for easy migration of say MD5->BCRYPT->ARGON2I->ARGON2D->Whatever new super algo someone comes up with