PasswordHasher Component

Robin Chalas

Software Architect,

Developer & Maintainer.

 

 

Core Team Member @Symfony;

Consultant @Les-Tilleuls.coop.

Twitter @chalas_r  - GitHub @chalasr

Background

Symfony provides password hashing utilities since 2.0

docs.spring.io/spring-security/site/docs/current/reference/html5/#authentication-password-storage

symfony.com/doc/2.7/security.html#c-encoding-the-user-s-password

Background

  • Originally implemented in security-core
  • Heavily inspired by Spring
  • Called Password Encoder

Password management before 5.3

 Password Encoder

The Contract

 Password Encoder

The Flaw

YOU WOULDN'T

ENCODE A PASSWORD

Hashing is cryptography.

Encoding is not.

paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded

Let's just change the wording then?

A New Component

A New Component

  • password-hasher does not require security-core to work (only depends on PHP ATM)

Motivations

  • it is useful on its own, can be used in any PHP project

 Password Hasher

Built-in implementations

 Password Hasher

  • NativePasswordHasherpassword_hash()
  • SodiumPasswordHasher: ext-sodium
  • Pbkdf2PasswordHasher: hash_pbkdf2() (legacy)
  • MessageDigestPasswordHasher: hash() (legacy)
  • PlaintextPasswordHasher: no-op (unsecure, test only)

NativePasswordHasher - Closer look

 Password Hasher

NativePasswordHasher - Closer look

 Password Hasher

 

  • opsLimit: *argon2 only
    Maximum amount of computations to perform.
     

  • memLimit: *argon2 only
    Maximum amount of RAM that the function will use in KB.
     

  • cost: *bcrypt only
    Adaptable algorithmic cost.
     

  • algorithm:
    Hash algorithm.

Standalone Usage

Single hasher

Standalone Usage

Multiple hashers: Factory

Standalone Usage

Migrating: from SHA512 to BCrypt

Full Stack

Full Stack

Full Stack

Next Steps

  • DX Enhancements
    Improve the profiler panel, console commands...
     
  • More Hashers
    Keep implementing state-of-the-art hash algos
     
  • Maintenance
    Fine-tune existing hashers

It Begins!

\o/

More?

 

  • Having a look at the wonderful Symfony documentation;
     
  • Letting us know about the features you'd like to see;
     
  • Sponsoring me and other Symfony Core Team members on Github.

Consider

Thank you!

Symfony PasswordHasher

By Robin Chalas

Symfony PasswordHasher

In Symfony 5.3, the password hashing logic has been extracted out from the security-core package to a first-class package named password-hasher. This component provides a clean API to manage passwords securely, and it can be used in any PHP project. Let's see how this component works and how it can ease managing passwords in your applications.

  • 1,317

More from Robin Chalas