@@ -319,35 +319,28 @@ hashing algorithm. Also, each algorithm defines different config options:
319319 ;
320320 };
321321
322- reference-security-sodium :
323- .. _using-the-argon2i-password-encoder :
324- .. _using-the-sodium-password-encoder :
325-
326- Using the Sodium Password Hasher
327- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
328-
329- It uses the `Argon2 key derivation function `_ and it's the hasher recommended
330- by Symfony. Argon2 support was introduced in PHP 7.2, but if you use an earlier
331- PHP version, you can install the `libsodium `_ PHP extension.
332-
333- The hashed passwords are ``96 `` characters long, but due to the hashing
334- requirements saved in the resulting hash this may change in the future, so make
335- sure to allocate enough space for them to be persisted. Also, passwords include
336- the `cryptographic salt `_ inside them (it's generated automatically for each new
337- password) so you don't have to deal with it.
338322
339323reference-security-encoder-auto :
340324.. _using-the-auto-password-encoder :
341325
342326Using the "auto" Password Hasher
343327~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
344328
345- It selects automatically the best possible hasher. Currently, it tries to use
346- Sodium by default and falls back to the `bcrypt password hashing function `_ if
347- not possible. In the future, when PHP adds new hashing techniques, it may use
348- different password hashers.
329+ It automatically selects the best available hasher. Starting from Symfony 5.3,
330+ it uses the Bcrypt Password Hasher. If PHP or Symfony adds new Password Hashers
331+ in the future, it might select a different hasher.
332+
333+ Because of this, the length of the hashed passwords may change in the future
334+ (if the "auto" implementation changes), so make sure to allocate enough space
335+ for them to be persisted. ``varchar(255) `` should be a good setting.
349336
350- It produces hashed passwords with ``60 `` characters long, so make sure to
337+ .. _reference-security-encoder-bcrypt :
338+
339+ Using the Bcrypt Password Hasher
340+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
341+
342+ It produces hashed passwords with the `bcrypt password hashing function `_.
343+ Hashed passwords are ``60 `` characters long, so make sure to
351344allocate enough space for them to be persisted. Also, passwords include the
352345`cryptographic salt `_ inside them (it's generated automatically for each new
353346password) so you don't have to deal with it.
@@ -368,6 +361,22 @@ used back when they were hashed.
368361 the cost to ``4 ``, which is the minimum value allowed, in the ``test ``
369362 environment configuration.
370363
364+ .. _reference-security-sodium :
365+ .. _using-the-argon2i-password-encoder :
366+ .. _using-the-sodium-password-encoder :
367+
368+ Using the Sodium Password Hasher
369+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
370+
371+ It uses the `Argon2 key derivation function `_. Argon2 support was introduced
372+ in PHP 7.2 by bundeling the `libsodium `_ extension.
373+
374+ The hashed passwords are ``96 `` characters long, but due to the hashing
375+ requirements saved in the resulting hash this may change in the future, so make
376+ sure to allocate enough space for them to be persisted. Also, passwords include
377+ the `cryptographic salt `_ inside them (it's generated automatically for each new
378+ password) so you don't have to deal with it.
379+
371380.. _reference-security-pbkdf2 :
372381.. _using-the-pbkdf2-encoder :
373382
0 commit comments