May 17, 2019 Javier Eguiluz

Hashing passwords is one of the most critical parts of a good security system. In Symfony 4.3 we added a Sodium password encoder to hash (or "encode" as Symfony calls it for historical reasons) passwords using the libsodium library.

However, given the fast-paced evolving nature of hashers, it's less and less recommended to select a specific hashing algorithm. Even PHP's password_hash() function defines a special PASSWORD_DEFAULT value to auto-select the best possible hashing algorithm available (in current PHP versions this is still Bcrypt, but it will change in the future).

That's why in Symfony 4.3 we made some more changes related to password encoders. First, the new recommendation for hashing user passwords is to rely on the 'auto' value:

1 2 3 4 5 6 7 8 9 # config/packages/security.yaml security: # ... encoders: App\Entity\User: - algorithm: 'bcrypt' - algorithm: 'argon2i' - algorithm: 'sodium' + algorithm: 'auto'

This value auto-selects the best possible hashing algorithm, so it doesn't refer to an specific algorithm and it will change in the future. The current implementation uses 'sodium' if possible and otherwise, it falls back to 'native' .

The 'native' config option is associated with the NativePasswordEncoder class, which is the other main change about password hashers in Symfony 4.3. This new encoder relies both on Symfony and PHP to select the best possible algorithm.