Contributed by
Nicolas Grekas
in #31140
and #31170.
Hashing passwords is one of the most critical parts of a good security system. In Symfony 4.3 we added a Sodium password encoder to hash (or "encode" as Symfony calls it for historical reasons) passwords using the libsodium library.
However, given the fast-paced evolving nature of hashers, it's less and less
recommended to select a specific hashing algorithm. Even PHP's
password_hash() function defines a special PASSWORD_DEFAULT
value to
auto-select the best possible hashing algorithm available (in current PHP
versions this is still Bcrypt, but it will change in the future).
That's why in Symfony 4.3 we made some more changes related to password
encoders. First, the new recommendation for hashing user passwords is to rely on
the 'auto'
value:
1 2 3 4 5 6 7 8 9 | # config/packages/security.yaml
security:
# ...
encoders:
App\Entity\User:
- algorithm: 'bcrypt'
- algorithm: 'argon2i'
- algorithm: 'sodium'
+ algorithm: 'auto'
|
This value auto-selects the best possible hashing algorithm, so it doesn't refer
to an specific algorithm and it will change in the future. The current
implementation uses 'sodium'
if possible and otherwise, it falls back to
'native'
.
The 'native'
config option is associated with the NativePasswordEncoder
class, which is the other main change about password hashers in Symfony 4.3.
This new encoder relies both on Symfony and PHP to select the best possible
algorithm.
The current NativePasswordEncoder
implementation tries to use any of the
Argon2 variants (Argon2i or Argon2id) before falling back to Bcrypt. However, if
the PASSWORD_DEFAULT
PHP constant changes in the future, that new algorithm
will be selected (if PHP defines it as stronger than Argon2).
What a Symfony developer should know about the framework: News, Jobs, Tweets, Events, Videos,...