Skip to content

[Security] bcrypt is the new default hasher for native/auto #14992

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 17, 2021
Merged

[Security] bcrypt is the new default hasher for native/auto #14992

merged 1 commit into from
Feb 17, 2021

Conversation

javiereguiluz
Copy link
Member

Fixes #14980.

@javiereguiluz javiereguiluz added this to the 5.3 milestone Feb 17, 2021
@OskarStark
Copy link
Contributor

Thank you Javier.

@OskarStark OskarStark merged commit a0ceecd into symfony:5.x Feb 17, 2021
@chalasr chalasr mentioned this pull request Jun 9, 2021
Closed
@pableu pableu mentioned this pull request Jun 10, 2021
Merged
javiereguiluz added a commit that referenced this pull request Jun 11, 2021
@javiereguiluz
minor #15430 [Security] Update description of password hasher config …
74e53fb 
…(pableu)

This PR was merged into the 5.3 branch.

Discussion
----------

[Security] Update description of password hasher config

The description of the password hashers in the reference isn't up to date for Symfony 5.3.

"Auto" now always uses bcrypt (see #14980 and #14992), but it  wasn't reflected here. I initially thought this was a bug in the password hasher component itself and created a symfony/symfony#41646, but I've since learned that the switch to bcrypt was intentional :-)

I updated all the hasher descriptions a bit and removed the part about sodium before PHP 7.2 because Symfony 5.3 requires PHP >= 7.2. I also added an extra paragraph for the bcrypt hasher because it was a bit mixed into the description of the "auto" hasher.

Commits
-------

d404d19 [Security] update description of password hasher config
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wouterj wouterj wouterj approved these changes

@OskarStark OskarStark OskarStark approved these changes

Assignees
No one assigned
Labels
Security Status: Reviewed
Projects
None yet
Milestone
5.3
Development

Successfully merging this pull request may close these issues.

[PasswordHasher] Use bcrypt as default hash algorithm for "native" and "auto"
4 participants
@javiereguiluz @OskarStark @wouterj @carsonbot