CODEWITHSUNDEEP
phpsymfonysymfony5symfony-security
Sofia Grillo
Sofia Grillo

Reputation: 481

Symfony 5.3 password hashing changed back from "$argon2id" to "$2y$13"

I am updating a Symfony app from 5.2 to 5.3

I see that after login, the password in DB is changed from $argon2id$v=19$m=65536,t=4,p=... to $2y$13$f...

In 4.4 I had implemented migrations as described here, now I renamed to password_hashers as described here (but the same thing happens with encoders).

What I don't understand is if this change is intended or not. I know this algorithm with $2y$13 (I don't know its name, sorry I'm not an encryption expert) was used in the past, I have users that haven't logged in since 2020 that have still their password hashes starging with $2$13y

Have they reverted the default algorithm to that one? I don't find any info about that, or am I doing something wrong? In security.yaml I have:

password_hashers:
    App\Entity\User:
        algorithm: auto

Upvotes: 1

Views: 1285

Answers (1)

yivi
yivi

Reputation: 47567

This surprised me too. Haven't seen it documented on the changelog.

It's mentioned on the documentation, but on a very subtle way (as a comment in one of the configuration examples, here).

Between 5.2 and 5.3 the default algorithm when selecting auto as an option changed from Sodium to Bcrypt. The actual change was performed on this commit.

The take away is: if you want to use Sodium, you'll have to enable it explicitly in your configuration (use sodium instead of auto).

Your passwords hashed with different algorithms will be recognized anyway, and since you have already implemented the PasswordUpgraderInterface, the hashes will be migrated back to Sodium.

Upvotes: 1

Related Questions