Robin Chalas

Software Architect,

Developer & Maintainer.

Core Team Member @Symfony;

Consultant @Les-Tilleuls.coop.

Twitter @chalas_r  - GitHub @chalasr

Background

symfony.com/doc/2.7/security.html#c-encoding-the-user-s-password

Background

• Originally implemented in security-core

• Heavily inspired by Spring

• Called Password Encoder

Password management before 5.3

 Password Encoder

The Contract

 Password Encoder

The Flaw

YOU WOULDN'T

ENCODE A PASSWORD

Let's just change the wording then?

A New Component

A New Component

• password-hasher does not require security-core to work (only depends on PHP ATM)

Motivations

• it is useful on its own, can be used in any PHP project

 Password Hasher

Built-in implementations

 Password Hasher

• NativePasswordHasher:  password_hash()
• SodiumPasswordHasher: ext-sodium
• Pbkdf2PasswordHasher: hash_pbkdf2() (legacy)
• MessageDigestPasswordHasher: hash() (legacy)
• PlaintextPasswordHasher: no-op (unsecure, test only)

NativePasswordHasher - Closer look

 Password Hasher

NativePasswordHasher - Closer look

 Password Hasher

• opsLimit: *argon2 only
  Maximum amount of computations to perform.
   

• memLimit: *argon2 only
  Maximum amount of RAM that the function will use in KB.
   

• cost: *bcrypt only
  Adaptable algorithmic cost.
   

• algorithm:
  Hash algorithm.

Standalone Usage

Single hasher

Standalone Usage

Multiple hashers: Factory

Standalone Usage

Migrating: from SHA512 to BCrypt

Full Stack

Full Stack

Full Stack

Next Steps

• DX Enhancements
  Improve the profiler panel, console commands...
   
• More Hashers
  Keep implementing state-of-the-art hash algos
   
• Maintenance
  Fine-tune existing hashers

It Begins!

\o/

More?

• Having a look at the wonderful Symfony documentation;
   
• Letting us know about the features you'd like to see;
   
• Sponsoring me and other Symfony Core Team members on Github.

Thank you!