Hashing passwords is one of the most critical parts of a good security system. In Symfony 4.3 we added a Sodium password encoder to hash (or "encode" as Symfony calls it for historical reasons) passwords using the libsodium library.
However, given the fast-paced evolving nature of hashers, it's less and less
recommended to select a specific hashing algorithm. Even PHP's
password_hash() function defines a special
PASSWORD_DEFAULT value to
auto-select the best possible hashing algorithm available (in current PHP
versions this is still Bcrypt, but it will change in the future).
That's why in Symfony 4.3 we made some more changes related to password
encoders. First, the new recommendation for hashing user passwords is to rely on
1 2 3 4 5 6 7 8 9
# config/packages/security.yaml security: # ... encoders: App\Entity\User: - algorithm: 'bcrypt' - algorithm: 'argon2i' - algorithm: 'sodium' + algorithm: 'auto'
This value auto-selects the best possible hashing algorithm, so it doesn't refer
to an specific algorithm and it will change in the future. The current
'sodium' if possible and otherwise, it falls back to
'native' config option is associated with the
class, which is the other main change about password hashers in Symfony 4.3.
This new encoder relies both on Symfony and PHP to select the best possible
NativePasswordEncoder implementation tries to use any of the
Argon2 variants (Argon2i or Argon2id) before falling back to Bcrypt. However, if
PASSWORD_DEFAULT PHP constant changes in the future, that new algorithm
will be selected (if PHP defines it as stronger than Argon2).
What a Symfony developer should know about the framework: News, Jobs, Tweets, Events, Videos,...