New in Symfony 4.3: Native password encoder

Contributed by Nicolas Grekas in #31140 and #31170

Hashing passwords is one of the most critical parts of a good security system. In Symfony 4.3 we added a Sodium password encoder to hash (or "encode" as Symfony calls it for historical reasons) passwords using the libsodium library.

However, given the fast-paced evolving nature of hashers, it's less and less recommended to select a specific hashing algorithm. Even PHP's password_hash() function defines a special PASSWORD_DEFAULT value to auto-select the best possible hashing algorithm available (in current PHP versions this is still Bcrypt, but it will change in the future).

That's why in Symfony 4.3 we made some more changes related to password encoders. First, the new recommendation for hashing user passwords is to rely on the 'auto' value:

1
2
3
4
5
6
7
8
9

# config/packages/security.yaml
security:
    # ...
    encoders:
        App\Entity\User:
-            algorithm: 'bcrypt'
-            algorithm: 'argon2i'
-            algorithm: 'sodium'
+            algorithm: 'auto'

This value auto-selects the best possible hashing algorithm, so it doesn't refer to an specific algorithm and it will change in the future. The current implementation uses 'sodium' if possible and otherwise, it falls back to 'native'.

The 'native' config option is associated with the NativePasswordEncoder class, which is the other main change about password hashers in Symfony 4.3. This new encoder relies both on Symfony and PHP to select the best possible algorithm.

The current NativePasswordEncoder implementation tries to use any of the Argon2 variants (Argon2i or Argon2id) before falling back to Bcrypt. However, if the PASSWORD_DEFAULT PHP constant changes in the future, that new algorithm will be selected (if PHP defines it as stronger than Argon2).