Symfony 6 Certification New exam with updated questions 100% online Show your expertise

New in Symfony 4.3: Sodium password encoder

Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.

Contributed by
Robin Chalas
in #31019.

In Symfony 3.4 we added an Argon2i password hasher as a modern replacement of the Bcrypt hasher. Argon2i support is provided through the libsodium library, which selects the Argon2 variant (argon2d, argon2i or argon2id) automatically based on the host system.

Given that the Argon2 variant selection is out of Symfony's control, in Symfony 4.3 we've decided to not add an Argon2idPasswordEncoder, to deprecate the Argon2iPasswordEncoder class and to add instead a generic SodiumPasswordEncoder class.

This new encoder relies on libsodium to select the best possible Argon2 variant. In practice, the only change you'll need to make in most of your applications is to update the name of the hashing algorithm in the main security config file:

# config/packages/security.yaml
    # ...
-            algorithm: argon2i
+            algorithm: sodium

The name of the Argon2 variant used to hash the password is included in the hash itself, so you can update this config option safely. If a new variant is picked by libsodium, all your existing passwords will keep working.

Besides, all the existing Argon2i configuration options are still available under the new sodium algorithm name.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.


Thank you Robin 👍🏻
A good improvement. Thank you Robin.
fair enough!

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.