PasswordHasher Component
Robin Chalas
Software Architect,
Developer & Maintainer.
Core Team Member @Symfony;
Consultant @Les-Tilleuls.coop.
Background
Symfony provides password hashing utilities since 2.0
Background
- Originally implemented in security-core
- Heavily inspired by Spring
- Called Password Encoder
Password management before 5.3
Password Encoder
The Contract
Password Encoder
The Flaw
YOU WOULDN'T
ENCODE A PASSWORD
Hashing is cryptography.
Encoding is not.
Let's just change the wording then?
A New Component
A New Component
- password-hasher does not require security-core to work (only depends on PHP ATM)
Motivations
- it is useful on its own, can be used in any PHP project
Password Hasher
Built-in implementations
Password Hasher
- NativePasswordHasher: password_hash()
- SodiumPasswordHasher: ext-sodium
- Pbkdf2PasswordHasher: hash_pbkdf2() (legacy)
- MessageDigestPasswordHasher: hash() (legacy)
- PlaintextPasswordHasher: no-op (unsecure, test only)
NativePasswordHasher - Closer look
Password Hasher
NativePasswordHasher - Closer look
Password Hasher
-
opsLimit: *argon2 only
Maximum amount of computations to perform.
-
memLimit: *argon2 only
Maximum amount of RAM that the function will use in KB.
-
cost: *bcrypt only
Adaptable algorithmic cost.
-
algorithm:
Hash algorithm.
Standalone Usage
Single hasher
Standalone Usage
Multiple hashers: Factory
Standalone Usage
Migrating: from SHA512 to BCrypt
Full Stack
Full Stack
Full Stack
Next Steps
-
DX Enhancements
Improve the profiler panel, console commands...
-
More Hashers
Keep implementing state-of-the-art hash algos
-
Maintenance
Fine-tune existing hashers
It Begins!
\o/
More?
- Having a look at the wonderful Symfony documentation;
- Letting us know about the features you'd like to see;
- Sponsoring me and other Symfony Core Team members on Github.
Consider
Thank you!