February 27, 2018 Javier Eguiluz

In Symfony 3.4 we introduced the Argon2i password hasher as an alternative to the popular Bcrypt hasher. In the case of Bcrypt you can configure it with the cost parameter, which defines the amount of CPU power needed to hash a password.

The Argon2i algorithm is more configurable than Bcrypt and that's why in Symfony 4.1 we've introduced several configuration options for the Argon2i hasher:

1 2 3 4 5 6 7 8 9 10 # config/packages/security.yaml security : # ... encoders : App\Entity\User : algorithm : 'argon2i' # maximum memory (in KiB) that may be used to compute the Argon2 hash memory_cost : 1024 # number of times the Argon2 hash algorithm will be run time_cost : 3

Password hashing is a fast moving field that requires continuous updates. In fact, there's an official RFC to replace the current Argon2i algorithm in the next stable PHP version by the newer Argon2id variant. Thanks to Symfony you can skip all these debates and be sure that your applications will always be safe and use the latest security best practices.